What, Why and how? Transition to TickITplus... Welcome and Introduction

Transcription

1 Transition to TickITplus... What, Why and how? Welcome and Introduction Peter Lawrence MSc FBCS CITP FCQI CQP Chairman Joint TickIT Industry Steering Committee

2 Agenda Morning Welcome and benefits of TickITplus Overview and components Benefits from using the Business Process Library (BPL) Constructing your Process Reference Model (PRM) Break and Refreshments The Assessment Coverage Index (ACI)... Levelling the playing field Assessor and practitioners Lunch. Peter Lawrence JTISC Chairman David Wynn Lead TickITplus Capability Assessor David Wynn

3 Agenda Afternoon How to transition from TickIT to TickITplus using the Core Scheme Requirements (CSR) TickITplus case studies reflecting on experiences implementing TickITplus and lessons learnt: Nexor Ltd Irene Dovey IPL Information Processing Ltd Graham Gee Logica UK Ltd Bill Martin Break and Refreshments Finish. Question and Answers Session Summary and Close Phil Willoughby LRQA s ICT Technical Manager TickITplus panel Phil Willoughby

4 Transition to TickITplus... What, Why and how? Welcome and benefits of TickITplus Peter Lawrence MSc FBCS CITP FCQI CQP Chairman Joint TickIT Industry Steering Committee

5 TickIT Framework Established in 1992 to address growing concerns in the UK for the supply of dependable software and IT systems Specifies best practice, along with requirements for the formal qualification of ISO 9001 assessors within the IT sector Has been through five revisions, but is not perceived to have kept pace with the changes in the IT industry in particular the growing focus on services over software New approach to broaden appeal provide an integrated assessment framework regain lost credibility and customer confidence re-vitalise and re-energise auditors.

6 TickITplus Drivers Critical dependency on IT systems Changing IT landscape Emerging (converging) standards ISO (ITIL/Service Management) ISO (Security Risk Management) ISO (Software Lifecycle) ISO (System Lifecycle) Demand for a graded approach (ISO 15504, SPICE) Flexibility and graded costs Differentiation and competitive advantage.

7 TickITplus Enhancements Built on multiple international standards UKAS accredited Third party verified Straightforward migration Up-to-date and competent assessors Focuses on outcomes and business drivers Promotes positive and cooperative relationships with certification body (CB) Encourages systematic and ongoing improvement Provides a benchmarking framework.

8 Do We Need Quality? The project successfully rejected the established constricting and negative influences or prescriptive engineering, onerous quality requirements and outdated concepts of inspection and client control Petrobras 2001 (loss in excess $500M)

9 Where assessment and certification programmes fail? Lack of sponsorship and ownership from senior leaders Insufficient link to business goals and objectives Questionable business benefits Trophy hunting Spiralling costs with no returns Constrained by the standards and reference models It s all very well you bringing up these certification issues, but we ve got to deal with real business problems here EMEA Service Exec (during Services Board Meeting).

10 What are the Ingredients for Success? The CEO and top leadership is actively involved and committed The programme is linked to defined strategic goals Changes and improvements are linked to clear financial payback Don t adopt an off the shelf solution Customer focus is critical Fortune Magazine.

11 Summary TickITplus Principles From Conformance to Performance Conformance Processes are repeatable, but performance is poor ACTION Drive systematic improvement in the core process Processes are chaotic and out of control with poor and unpredictable performance with high cost of quality ACTION Apply Standard Process and robust Quality Assurance Processes are repeatable and yield consistently good performance with high productivity ACTION Drive continual improvement in the core process Results are good but processes are non-standard with sub-optimisation and poor leverage ACTION Identify best practices and apply to standard processes Performance To achieve excellence an organisation must standardise processes and drive improvement

12 ... cont TickITplus Principles FOUNDATION (Conformance) Establish standard processes across the organisation Integrated Management System (ex.qms) Continual Improvement Conformance Performance VISION (Performance) Characterise underlying performance and drive systematic improvement ENTRY Policy and working practices are formally documented BRONZE Processes are systematic and deployed with a managed framework SILVER Processes are measured and a baseline of repeatable performance is established GOLD Process Improvements are implemented through quantitative evaluations PLATINUM Processes are continuously improved Continual improvement achieved through standardization and active assessment

13 The Clock is Ticking... Existing TickIT approvals will expire by the end of 2014

14 Transition to TickITplus... What, Why and how? TickITplus Overview Dave Wynn Ceng BSc MBCS Lead TickITplus Capability Assessor Omniprove Ltd

15 Topics Overview and components Benefits from using the Base Process Library Constructing your Process Reference Model The Process Assessment Model The Assessment Coverage Index Levelling the playing field Assessors and Practitioners

16 So why TickITplus? Background TickIT was introduced in over 20 years ago Emphasis on process capabilities and improvement Today It was aimed primarily at software development The IT sector is now much more diverse It provided only guidance Organisations value clearly specified requirements Linked to ISO 9001 it provided only a pass/fail result Desire for better differentials in supplier selection.

17 Key Benefits For organisations: Encourage and promote continuous improvements Support process development to meet business needs Institutionalise good processes and practices Reduce business risk as capability increases Reduce assessment disruption Involving organisational staff in assessments For customers: Provide better criteria for supplier selection purposes Offer clear indications of suppliers process capabilities Allow better risk management For assessment organisations: Provide a clear, well defined structure for conduction assessments with consistent and repeatable results.

18 Key Differences and Changes Process orientated, using primarily ISO/IEC 12207:2007 FDIS (software lifecycle processes) ISO/IEC 15288:2007 FDIS (system life cycle processes) Process capability based on ISO/IEC :2003 Extended standards coverage Formal improvements required Changed from guidance to requirements based scheme Active organisational participation in assessments 3 key components Base Process Library (BPL) Process Reference Model (PRM) Process Assessment Model (PAM).

19 Process Capability Assessments Conducted to gain an appreciation of organisations processes against a defined measurement framework Characterises current practices in terms of the capability of the processes Examines processes to determine the effectiveness in achieving their goals (outcomes) Drives process improvements Using ISO part 2. leads to Process Improvement Process Assessment invokes motivates leads to Process Capability Determination

20 15504 Capability Dimension Level 5: Optimising Level 4: Predictable Platinum Gold The Measurement Framework Capability Level Process Attributes Rating Scale Level 3: Established Level 2: Managed Level 1: Performed Silver Level 0: Incomplete Bronze Foundation

21 Capability Dimension Level 0: Incomplete The process is not implemented or fails to achieve it Purpose Level 1: Performed The implemented process achieves its process purpose Level 2: Managed Level 3: Established The performed process is implemented in a managed fashion and its work products are appropriately established, controlled and maintained The managed process is now implemented using a defined process capable of achieving its process outcomes Level 4: Predictable The established process now operates within defined limits to achieve its process outcomes Level 5: Optimising The predictable process is continuously improved to meet relevant current project and business goals.

22 Capability Dimension Process Attributes & Generic Practices Level 2 Level 2: Managed PA 2.1 Performance management attribute: a) Objectives established b) Planned and monitored c) Adjusted to meet plans The performed process is implemented in a managed fashion and its work products are appropriately established, controlled and maintained d) Responsibilities and authorities defined, assigned and communicated e) Resources and information are identified, made available, allocated and used f) Interfaces between involved parties are managed.

23 Capability Dimension Process Attributes & Generic Practices Level 2 Level 2: Managed The performed process is implemented in a managed fashion and its work products are appropriately established, controlled and maintained PA 2.2 Work product management attribute: a) Requirements defined b) Requirements for documentation and control c) Appropriately identified, documented and controlled d) Reviewed in accordance with planned arrangements and adjusted as necessary.

24 Scheme Stakeholders Joint TickIT Industry Steering Committee (JTISC) Overall scheme control and direction Scheme Office Management Website Management General Administration Registration of Assessors and Practitioners Registration of Training Course Providers Provision of Examinations Standardisation, international harmonisation, certification, accreditation and general public interest requirements IT industry commercial requirements Accreditation of Certification Bodies for TickITplus Slide 24

25 Revised Documentation Requirements & Implementation Specification Outline Technical Specification TickITplus Project Documentation Administration Design Specification Technical Design Specification Assessor & Practitioner Qualification Criteria Training Course & Examination Criteria Delivering Quality in IT TickITplus Core Scheme Requirements TickITplus Base Process Library TickITplus Process Guidance TickITplus Requirements for Assessors and Practitioners TickITplus Requirements for Training and Examinations TickITplus Kick Start Guide TickITplus Scheme Documentation TickITplus Implementation Guidance Slide 25

26 Requirements Based Scheme ISO/IEC Service Management ISO 9001 Mandatory for Certification TickITplus Processes ISO/IEC Information Security Others Others Scope Reference Standards IEC System Safety BS Business Continuity Slide 26

27 Practitioners Important part of the TickITplus scheme Would typically manage the PRM implementation Drive organisational improvements using TickITplus concepts Covered by recognised training and qualification paths similar to the Assessor route Essential to running effective external assessments Can lead and be a team member on internal assessments Only team member on external assessments but require recognised internal auditor qualification Will have their qualifications and possible conflicts of interest assessed by external team lead Can transition to Assessor with required auditor prerequisites that satisfy national Accreditation Bodies Foundation training is available from LRQA and ITG.

28 Grade Qualifications Foundation Quality and IT Skills and Experience Min 5 years (or 4 with IT related degree) in IT related work Min 2 years quality related work Education and Professional Recognised national certificate in Secondary Education at primary level or above Recognised national certificate in an IT related subject at diploma level or above Recognised national quality Lead Auditor registration Assessor CPD Hours Min 25 CPD hours over last 2 years TickITplus qualifications Completion of the TickITplus Foundation Course and examination pass IT Skills Profile (BPL/SFIA) General level 4 across specialist profile (self declared) Level 5 on specialist profile as Lead Qualifying TickITplus Audits Foundation Assessments only None required for Team Member only 5 Assessment Credits and at least 1 assessment as Lead under supervision. (Exemptions for transferring TickIT Auditors) Quality and IT Skills and Experience Min 5 years (or 4 with IT related degree) in IT related work Min 2 years quality related work Education and Professional Recognised national certificate in Secondary Education at primary level or above Recognised national certificate in an IT related subject at diploma level or above Audit experience Recognised national Auditor registration (IRCA or equivalent) to be on an external assessment Practitioner CPD Hours Min 25 CPD hours over last 2 years TickITplus qualifications Completion of the TickITplus Foundation course and examination pass IT Skills Profile (BPL/SFIA) General level 3 across specialist profile (self declared) Level 5 on specialist profile as Internal Lead or External Member Qualifying TickITplus Audits Foundation Internal Assessments None required for Team Member or Lead Foundation External Assessments None required for Team Member

29 Key Components Base Process Library (BPL) Process Reference Model (PRM) Process Assessment Model (PAM)

30 BPL Overview It is maintained by JTISC It provides a set of all IT and IT related Processes It describes processes in terms of purpose, outcomes, base practices and work products Base Process Library (BPL) It defines the Scope Profiles and mappings between processes and requirements and reference standards It is used to create Process Reference Models.

31 TickITplus Processes TYPE A PROCESSES Human Resource Management Management Framework Corporate Management & Legal Infrastructure & Work Environment Management Improvement Measurement & Analysis Customer Focus Risk Management Data and Record Management TYPE M PROCESSES Quantitative Performance Management Quantitative Process Improvement Mandated at Gold and Platinum Level SCOPE DEPENDENT TYPE B/C PROCESSES Capacity Management Integration Management Verification Validation Operations Management Maintenance Management Disposal Requirements Analysis Stakeholder Requirements Definition Service Level Management Transition & Release Management Architecture Design Organisational Processes Technical Processes Development Implementation Continuity, Availability & Contingency Management Acquisition & Contracts Management Supply Management & Business Relationships Lifecycle Model Management Project Portfolio Management Resource Management Security Management Maturity Processes Agreement Processes Domain Engineering Asset and Program Management Project Management Configuration & Change Management Decision Management Information Management Problem & Incident Management IT Finance Management Management Reporting Project Processes IT Specific Processes

32 What is a Process? Controls Inputs Process Outputs Resources Outcomes S2 0800DP

33 Example BPL Process Risk Management Process ID ORG.8 Process Name Risk Management Process Category Organisational Processes Type A Process Purpose To avoid or mitigate potential future events that could adversely affect reaching business objectives Version v1r1 Process Outcomes Process Base Practice Input Work Products Risks are managed and business objectives are not adversely affected by unexpected conditions or events. ORG.8.BP.1 Define Risk Management Procedure The organisation s approach for managing risk is defined, reviewed, documented and controlled within the Integrated Management System (IMS). Output Work Products ISO 9001 Risk Management Procedure b) ISO c) ISO ORG.8.BP.2 Establish Risk Management Plan Risk management plans are defined for use by the organisation. This risk management plan includes the approach to be taken, roles and responsibilities, timescales and thresholds for triggering action. Business Plan Stakeholder Requirements Risk Management Procedure Risk Management Plan 5.1 a) A9.2.1 ORG.8.BP.3 Identify and Analyse Risks Risks, both internal and external, are identified, analysed and documented to determine the priority for action. Business Needs Business Objectives Risk Management Plan Risks d) A9.2.5 A ORG.8.BP.4 Track Risks The status of each risk is monitored and appropriate actions are taken to address risks, where planned triggers are activated or defined thresholds are exceeded. Actions are reviewed to ascertain their effectiveness and changes made. The risk management documentation is updated with the status of current risks. All actions are tracked to closure and records are maintained. Risk Management Plan Risks Risk Records d) ORG.8.BP.5 Report Status and Escalate The status of each risk, together with any actions, is reported to stakeholders. Where actions are not effectively addressing the risk they are escalated. Risk Records Risk Reports d) 4.2 d) ORG.8.BP.6 Analyse Risk Management Performance Data from across the organisation is reviewed and analysed in order to identify and address common or reoccurring risks. Risks Improvement Request a) S4 1000DP

34 Scope Profiles Legal and Compliance Service Management Systems & Software Development & Support Project & Programme Management Corporate Strategy Planning & Management Information Management & Security Product Validation, Quality & Measurement IT Systems Engineering & Infrastructure Dealing with the delivery of products or services within a legal and compliance framework; covering business analysis, corporate responsibility, risk and compliance audit Operations in a service management environment; delivering IT based services to clients either outsourced or internal All aspects of systems and software development, both traditional and new methodologies. Long term support and maintenance. Multidiscipline programme and project delivery as a specialist area: analysis, reporting, risk and general project management. Taking an organisational wide view of IT operations, long term planning, high level management. Delivery of information and systems to meet both data and security requirements. Independent testing and validation of product and services. Ensuring quantitative quality and measurements are applied to product development and delivery. Operations involving network and data handling systems, server farms, data centres and supporting infrastructure.

35 Scope Profiles and BPL Processes

36 PRM Overview It is produced and maintained by the organisation It is derived from the BPL but can be extended for organisational specific process needs Introduces defined processes through tailoring Process Reference Model (PRM) Maps Type-A, Type-B and any Type-C processes used to the organisational IMS Guidance on creating a PRM in ISO/IEC TR 24748, PAS 99 ISO/IEC TR Primary role of the Practitioner to create the PRM.

37 Example PRM Defined Process Risk Management

38 Process Assessment Model Produced by the assessor but involving the organisations Derived from the PRM Identifies the assessment Implemented Processes Sample It brings together process performance and process capability indicators Process Assessment Model (PAM) Records the Process Outcome ratings and identifies associated nonconformances Provides the basis for calculating Process Capability and Organisational Maturity Once completed provides the record of assessment.

39 Implementation and Assessment JTISC Base Process Library Creation & Maintenance Organisations Assessors Scope Determination and Defining Certification Requirements Certification Bodies BPL Process Reference Model Contract Org QMS Assessment Strategy Documentation and PRM Review Readiness Review Assessment Planning Process Assessment Model Report Assessment Schedule Corrective Action & Improvements Conduct Assessment Process Assessment Model Report TickITplus Certificate Technical Review and Certificate Award

40 Exploration or Confirmation Exploration Confirmation Evidence does not need to be made available at the start of the assessment Evidence of adequate implementation of Base Practices and Work Products must be sought by external assessment team members The evidence must be tested by correlation to other evidence Interview will be used and must include external assessor Evidence is expected to be made available at the start of the assessment Any team member can confirm the evidence The evidence must be tested by correlation with other evidence Multiple samples are not necessary Interviews must be held to confirm the prepared sample and must include external assessor.

41 Assessment Coverage Index A calculation based on: Number of people in the TickITplus Scope Number of people covered by the Implemented Process Sample Number of hours effort planned for the Assessment. Assessment Mode F dation Bronze Silver Gold Platinum Confirmation Exploration Slide 41

42 Transition to TickITplus... What, Why and how? How to transition from TickIT to TickITplus Certificate Renewal and Transitional Assessments Foundation Level Phil Willoughby LRQA ICT Technical Manager

43 TickITplus delivery process Contract Preparation PRM Review Assessment Planning Readiness Review The Assessment Technical review Certification

44 Contract Preparation Assessment Strategy Scope of Business Number of Staff TickITplus Grade Profile Number of Defined Processes Number and Size of Workgroups Contract Preparation Quotation in mandays.

45 TickITplus delivery process Contract Preparation PRM Review Assessment Planning Readiness Review The Assessment Technical review Certification

46 Documentation and PRM Review Assessment Strategy PRM Management System Documents Documentation & PRM Review Report Decision to proceed Non-conformities Versions of all documents.

47 Review Highlights Alignment of Strategy and PRM Complies with CSR requirements Carried out by the Lead Assessor Preferably on site Demonstrates the organisation understands Ensures the organisation is ready for the Stage 2 Assessment Organisations improvement plan.

48 TickITplus delivery process Contract Preparation PRM Review Assessment Planning Readiness Review The Assessment Technical review Certification

49 Assessment Planning Assessment Strategy Improvement Plan Previous PAMs Assessment Reports Assessment Planning Assessment Plan Schedule Resources.

50 Planning Highlights Can be initiated at any time in the pre-assessment activity Finalised after the Readiness Review Confirmation or exploration modes selected Creates the initial PAM Determines the Implemented Process Sample.

51 Assessment Readiness Review Has the organisation prepared for the Assessment? internal assessments and corrective action (at Foundation they can be TickIT type) improvement Plan is being implemented and monitored people allocated to plan activities (exploration mode) practitioner required evidence collected by the Practitioner (confirmation mode) assessment logistics arranged no significant changes since PRM Review or Assessment Planning activities Can be conducted on site or remotely.

52 TickITplus delivery process Contract Preparation PRM Review Assessment Planning Combined Review Readiness Review The Assessment Technical review Certification

53 The Assessment opening meeting process verification team agreement on the findings completion of the PAM (other than at a transitional assessment) report generation closing meeting.

54 Process Verification The defined processes are verified against the PAM by examining the IPS using the agreed assessment mode For Foundation level the single Process Attribute (PA), Process Performance needs to be assessed All defined processes assessed.

55 Findings Findings are graded following team discussion Positive and negative observations Major and minor non-conformities The characterisation (rating) of PA s is based on the number and type of nonconformities.

56 Converting findings to ratings Findings Comments and notes FI LI PI NI No findings Positive observations only Negative observations only Team decision based on the balance of positive and negative observation, risks, quantity of observations. Consideration should be given to raising a minor NC. 1 Minor NC Team decision based on the balance of any positive and negative observations and risks Multiple Minor NCs Team decision based on the balance of any positive and negative observations, risks, quantity of NCs. Consideration should be given to raising a major NC 1 Major NC Team decision based on the impact, risks, severity of any minor NCs, or positive and negative observations Multiple Major NCs

57 TickITplus delivery process Contract Preparation PRM Review Assessment Planning Readiness Review The Assessment Technical review Certification

58 Certification

59 Transitional Assessments Designed to be simpler than a full initial or certificate renewal visit: PRM review, Planning and Readiness Review combined PAM not required Only 50% of type B s require assessment Carried out by your regular Lead Assessor No characterisation required.

60 Transition Integrating with Existing Monthly Visits Visit Additional Visit Visit + 1 Request Transition PRM, Planning and Readiness Reviews Assessment Visit Additional visit Visit + 1

61 Summary Transitional Assessments are a gentler route to TickITplus The Core Scheme requirements document explains everything.

62 Transition to TickITplus... What, Why and how? TickITplus Conformance to performance Bill Martin Assurance and Improvement Manager Logica UK Ltd

63 Transition to TickITplus... What, Why and how? TickITplus... what it can do for you Graham Gee Quality and InfoSec Manager IPL

64 IPL Background Trusted, independent consulting & solutions house 30+ year track record 260 staff, 28m+ turnover Business/mission critical contexts Consistently exceed expectations Multiple market sectors Aerospace & Defence Banking & Finance Civil Government incl. Emergency Services Transport Telecoms & Utilities. Official Business Partner

65 IPL s focus on Quality IPL s origins more than 30 years ago in UK Aerospace & Defence Objective since 1979 to provide customers with high quality, high reliability software within timescale, budget and specification Quality is the responsibility of all individuals within the Company More than 20 years ago (before SEI s CMM existed) By 1988 IPL s QMS and processes were aligned to the international standard ISO 9001 and a few years later the TickIT software sector-specific scheme TickIT was largely adopted by the UK software development industry Especially in IPL s core market sector with high quality requirements.

66 Certifications & Affiliations ISO 9001:2008/TickIT ISO 27001:2005 ISO 14001:2004

67 TickITplus Was launched in year clock to migrate from TickIT started ticking in Dec 2011 Adds process capability assessment, with levels mapped to international standard ISO/IEC 15504, similar to CMMI So moves TickIT to same basis as CMMI but also Backed by UK plc (including BSI, BCS, Intellect, MoD) Integral part of certification to international standard ISO 9001 by certification bodies such as BSI, LRQA and DNV Requires mapping of project, technical, organisational, IT-specific, agreement and maturity processes to the Base Processes Library.

68 Steps to TickITplus: TickIT lead auditor course in 2006: Declining interest in the scheme; only one accredited trainer in the UK Auditor and company registrations dropping; only ever good practice guidance CMMI stolen march in India and elsewhere from its US origins Joined IPL in Oct 2007 aiming to bring QMS into 21 st century Long experience in Quality/TickIT and with BCS.

69 Steps to TickITplus: TickITplus coming soon as UK alternative to CMMI... But took a long time and there was chronic lack of communication Occasional pressure around CMMI in questionnaires and responses Happened again at end of 2010 around Thales preferred supplier selection Transition of Certification Body to LRQA December 2010.

70 Steps to TickITplus: during 2011 Kept the faith information sessions hosted at Intellect, early 2011 Speculative gap analysis cf. list of process titles March/April 2011 Assessor/practitioner training by Dave Wynn for IT Governance June 2011 Base Process Library (BPL) finally published also June 2011 Confirmed gap analysis (cf. BPL) > 1 st draft PRM July year clock to migrate from TickIT started ticking in Dec 2011 LRQA Stage 1 assessment end Sept > 3 Minor N/Cs LRQA Stage 2 assessment Dec > certification but raised 7 new Minor N/Cs (just before Christmas!) and Corrective Action Plan Continuing assessment end Mar 2012 closed all TickITplus N/Cs.

71 What does TickITplus involve? Eight scope profiles (currently two) 40 processes: original BPL had 22 (organisational, project and technical) Mapped to four international standards ISO 9001 ISO and ISO resp. Q2/Q ISO basis laid but rest later, possibly 2013 Combined assessor/practitioner training overseen by gasq Currently three UK Certification Bodies (BSI, DNV, LRQA) Run by Joint TickIT Industry Steering Committee (JTISC)

72 Measurement and Analysis Process ID ORG.6 Process Name Measurement and Analysis Category Organizational Processes Type A Process Purpose To provide information to enable better decision making. Version v1r0 Process Outcome Process Base Practices Input Work Products Output Work Products ISO 9001 OU.1 BP.1 Define Measurement and Analysis Policy and Procedures Business Plan Measurement Policy 4.2.1d) Measurements are used to demonstrate achievement of business objectives, to support decisions and identify improvement. Policies are established, approved and communicated to ensure that measures are identified, collected, analysed, reported and used, to support the achievement of the business plan. Procedures are established for developing measures against key business objectives, to understand performance. The procedures define the method for identifying, collecting, storing, analysing and using measures. Policies and procedures are periodically reviewed and updated in line with the business plan. The policies and procedures are maintained under the management framework. Measurement Procedures Measurement is embedded in the top-level documents for each management system. [Business Needs] Quality Policy There is a specific Integrated Management Procedure (IMP02) focussed on audit and improvement Strategy, Objectives, Targets, Key Performance Measures IS and ISMS Policies IMP02, Audit and Improvement BP.2 Identify Measurement Objectives and Data Business Plan Measurement Objectives The organization establishes where measures are necessary and identifies the objectives and data sources necessary to achieve them. Stakeholder Requirements Measurement Data Sources The objectives and data sources are reviewed and agreed by stakeholders. Company-level measurement objectives are defined for each management system. The top-level objectives Strategy, Objectives, Targets, for the services business are in the SBM. There are more detailed measurement objectives in a document for Key Performance Measures Operations which informs the specific objectives for each software project. Quality Policy These are reviewed and agreed by the Quality Review Board (QRB, comprising COO, CTO and Quality IS and ISMS Policies Manager) for Quality, and the IS Forum for InfoSec. Quality Objectives Services Business Manual Operations Quality Objectives Quality Plan: Quality Objectives ISMS Overview BP.3 Collect and Analyse Measurement Data Measurement data is collected and stored in line with the collection method. The measurement data is validated and any need for additional measurement is identified The measurement data is analysed to provide indicators and recommendations to stakeholders. Measurement Objectives Measurement Data Sources Measurement and Analysis Data Measurement And Analysis Report 8.4

73 Project Management Process ID PRJ.1 Process Name Project Management Category Project Procedures Type B/C Process Purpose To ensure that the projects meet their objectives. Version v1r0 Process Outcome Process Base Practices Input Work Products Output Work Products ISO 9001 OU.1 The organization achieves project objectives in a controlled manner, and delivery is on time, in budget and to quality. BP.1 Establish Project Management Policies and Procedures Business Plan Policies are established, approved and communicated that govern the project management methodology and the delivery of projects. Procedures are defined, approved and made available for use, to implement the project management policies. The procedures cover project planning, tailoring, estimating, monitoring and control, resourcing, reporting, escalation, together with supplier, stakeholder, risk and issue management The policies and procedures are maintained under the management framework. The Delivery Manual contains the processes related to project management. It was reviewed and approved by a subset of the Board and Exec Committee. Supporting documents provide additional procedures. They are made available via the intranet. Strategy Annual Business Plan Services Business Manual Project Management Policies 4.2.1d) Project Management Procedures Delivery Manual SCOP-R: Project Control Quality Objectives Management Procedure 2: Progress Reporting SCOP-P 9001, Risk Management BP.2 Scope the Project A scope statement is defined for the project with deliverables agreed by stakeholders. The quality objectives and the requirements for the project are established and documented. Objectives, constraints and assumptions are recorded and agreed before project initiation Projects select and tailor the appropriate lifecycle model, and the rationale is documented. Estimates are produced against the agreed scope, including any necessary contingency. A budget for the work to be undertaken is prepared. The scope, objectives, constraints, selected approach, estimates and budget are reviewed by stakeholders and approved by management. Stakeholder Requirements Scope Statement Project scope and estimates will have been defined as part of the proposal process. The Delivery Manual and SCOP-R describe how to initiate a project. The Project Plan and Quality Plan set out the key aspects for the project to be delivered. Invitation to Tender/Request for Proposal Proposal Delivery Manual: Initiate Project SCOP-R: Project Control Operations Quality Objectives Project Plan Quality Plan: Project Lifecycle

74 Architectural Design Process ID TEC.13 Process Name Architectural Design Category Technical Processes Type B/C Process Purpose To produce a top-level design that identifies the major components and interfaces of the product. Version v1r0 Process Outcome Process Base Practices Input Work Products Output Work Products ISO 9001 OU.1 BP.1 Establish Development Approach The top-level design Different development approaches are considered in formulating the architecture design, and an approach addresses all the is selected that best meets the system requirements. system requirements, The selection decision and supporting rationale is documented, reviewed and approved. with no defects found in development. Initial development approach is captured in quality plan. Refined during requirements and design stages. Lifecycle Model Description and Assets SCOP-P 800x, Software Development Methods ETC Agile Framework Selected Lifecycle Quality Plan BP.2 Create Architectural Design The top-level design is created taking into account the architectural standards of the organization. The major components and interfaces necessary to meet the system requirements are identified. System requirements are traceable to the major components. Interfaces include interactions between system components, and between the system and the external environment. Design constraints, assumptions and dependencies are documented. System Requirements Top Level Design Traceability Report 4.2.1d) The system is designed to ensure that it meets the system requirements, external interfaces and selected design standards. Design specifications are produced in line with the design methodology selected. SCOP-P 2001 provides the default format and content for design specs. The approach to traceability depends upon customer requirements, the nature of system under development and any applicable standards (e.g. higher levels of DO-178B) plus the design methodology and modelling tools being used. System Requirements Spec High Level Design Quality Plan: Design Process Traceability Matrix SCOP-P 200x, design standards BP.3 Review Architectural Design The top-level design is reviewed by stakeholders to ensure all system requirements have been adequately addressed. The customer is advised of any adverse impact on cost, schedule and customer needs arising from the proposed top-level design, along with possible alternatives. Top Level Design Review Records Top Level Design Customer Notifications The review approach is defined in the Quality Plan. Detailed reviews can include Preliminary and Critical Design Reviews with customer involvement. High Level Design Quality Plan: Review Process SCOP-P 4001, Review Standards High Level Design Review Records BP.4 Manage Architecture Changes Changes to the top-level design are formally controlled through the change control process. Changes to the top-level design are reviewed by stakeholders for their impact on cost, schedule and customer needs. The results of the review are communicated to stakeholders, and records maintained. Change Request Change Record b) 7.3.7

75 What has TickITplus done for us?

76 So where do you want to be? From Everett Rogers, Diffusion of Innovations, 1962

77 TickITplus lessons/benefits Modern, pragmatic, detailed process/practice requirements NOT good practice guidance (cf. TickIT) and less bureaucratic than CMMI TickITplus Foundation level (BPL v1.0 with 22 processes) is equivalent to CMMI Levels 2/3 (resp. 7/11 processes) Based on international standards - ISO 9001 with ISO (aka. SPICE) capability maturity dimension to be added Regular, professional and independently assured assessments by certification bodies - currently BSI, DNV and LRQA in the UK cf. CMMI Initially external assessment costs are higher (number of processes) BUT combined assessments across ISO and ISO will help.

78 IPL where next with TickITplus? Some processes were initially challenging and may need improving/redefining/discussing with LRQA Configuration/change management Integration management Transition/release management Stakeholder requirements Lifecycle model management Improvement LRQA s recertification visit at end of August 2012 Extension to cover ISO later in 2012? Could consider adding additional scope profiles? Move up to Bronze (OK) and Silver (difficult) when available Share the good news with the UK IT community via BCS, LRQA, Intellect, with Omniprove and Nexor.

79 Questions? Dr Graham Gee FBCS CITP TSSF Quality & InfoSec Manager Eveleigh House Grove Street Bath BA1 5LR

80 Transition to TickITplus... What, Why and how? Nexor s TickITplus Journey Irene Dovey Business Improvement Manager Nexor Ltd

81 connect transform protect TickITplus and Nexor

82 Company Profile

83 Our Positioning TS Secret Confidential High Assurance Impact levels 4-6 Specialised requirements Baseline components Tailored, accreditable solutions Medium Assurance Impact level 3 Specialist COTS product Scheme assessment Nexor Capability Acknowledged domain expertise End-to-end service Accreditation ready OTS framework Process maturity Nexor COTS products Microsoft ready Full professional services package Restricted Unclassified Standard Assurance Low impact levels Commodity COTS products Wide choice

84 Our Customers and Partners End Customers Bulgarian MOD Canadian DND CSEC European Defence Agency French MOD GCHQ Government of Canada Italian Navy NATO Netherlands Navy Niteworks Slovak Army UK MOD System Integrators Cassidian CSC Elta-R Force Vision Fujitsu GD HP Interactive sbc Logica QinetiQ Scientia Selex Steria Ultra Electronics Partners Accuvant Ascentor BAE Systems Boldon James FOX-IT IPL Microsoft Red Hat RJD Technology Titus Labs Tresys

85 Our Maturity

86 Our TickITplus journey... ISO9001 / TickIT and ISO in place for a number of years Became interested in CMMI around 2006 Used the CMMI framework to widen and deepen the scope of improvement activities Came to a point where we felt ready for formal CMMI Scampi appraisal but just could not justify the cost (money and effort!).

87 So, how did we get to TickITplus? Attended a business improvement workshop at Intellect in 2009 and first heard of TickITplus Liked the sound of what we heard and volunteered to get involved in the Pilot Scheme Slow start and not a lot happened for a while... Then things started to move with changes to the Committee (JTISC) and we became involved in producing the Base Process Library (BPL).

88 So, how did we get to TickITplus? Liked what we saw of the BPL and internally decided to use it as a tool to undertake a gap analysis confirming which practices we were doing and identifying ones which we weren t! Where possible, we involved staff relevant to the particular area From this, we developed an improvement action plan capturing areas where we could improve and also where we could do things more simply.

89 Improvement Action Plan example... Action No Improvement Activity 1 Risk Management Framework procedure does not differentiate sufficiently between business and project risks 2 Size measurement in estimation Action Benefits Owner Date Created Procedure to be updated and circulated for review. Comments / suggestions requested by 05/11/2010. Currently collecting requirements vs actual effort metrics as a starting point. A generic risk management approach across the Business. To improve and validate estimation IHD 01/11/201 AJK 01/11/201 By When 05/11/2010 Reviewed, updated and published on the 0 Intranet Action complete. 31/01/ : Current requirements size 0 measure is not effective. Further size measures are currently being reviewed : Consideration to reviewing GQM for this area - maybe incorporate complexity or number of user stories. 3 Product Lifecycle Management 7 Measurement and Analysis needs reviewing Need to clarify our approach to new lifecycles in the PMF. Policy will be updated and consideration will be given to whether a dedicated procedure is required. Note: M&A is currently incorporated in Developing and Improving Policies and Procedures procedure. To aid understanding of approach to Agile development which is new to the business. To aid identification of key areas where metrics may prove useful in monitoring and improving performance. AJK 01/11/201 IHD 01/11/ : Ongoing. 30/11/ : PMF updated to include this. 0 Action complete. 31/01/ : Policy updated : AMP will review and update the current Metrics spreadsheet. IHD will review the Developing and Improving Processes and Procedures procedure and make recommendation on what is required : AMP to upload revised List of Metrics spreadsheet for comment. IHD to update D&IPP procedure in line with recommendations. 24 QA, Documentation and Record Control would benefit from an approval matrix for each type of document Update the procedure Ensure clarity for document approval DEF 01/11/ : Metrics re-circulated for comment (to AJK, KJB, IHD) : Procedure update. 0 Action complete

90 So, how did we get to TickITplus? Then decided to formally adopt TickITplus In preparation: undertook Practitioner training in April 2010 started working on our Process Reference Model (PRM) liaised with LRQA and sought guidance from Dave Wynn Stage 1 Foundation-level assessment early December 2010 Stage 2 Foundation-level assessment mid-december and became the first to become certified to TickITplus.

91 What have we gained? Basically, TickITplus has reinvigorated our improvement activities! BPL offers good practice over and above the Standards it incorporates Mapping existing practices to BPL is a good way of doing a gap analysis to identify areas for improvement Provides sound basis if the Process Area is new or is not currently effective Opportunity to get the people who do the work to complete their Process Area (collaboration) Demonstrates a commitment to quality to customers.

92 What have we learned? External assessments are more rigorous initially and on an on-going basis no places to hide! More time-consuming and does require preparation initially and on an on-going basis Because more time is required, there is a cost implication transition and tri-annual assessments (not surveillance visits).

93 Now and where to next? Since initial assessment, three surveillance visits Momentum keeps going Getting smarter (BPL becoming leading rather than lagging) Looking to adopt the next phase of TickITplus which incorporates ISO To help in developing our service offering Plan to progress TickITplus through the capability route.

94 Nexor Ltd Any queries or for more information on how we approached TickITplus Irene Dovey Business Improvement Manager Nexor Ltd Tel:

95 Transition to TickITplus... What, Why and how? Question and Answer Session

96 Transition to TickITplus... What, Why and how? Summary and Close