Transition to TickITplus... What, Why and how? Welcome and Introduction Peter Lawrence MSc FBCS CITP FCQI CQP Chairman Joint TickIT Industry Standards Committee
Agenda Morning Welcome and benefits of TickITplus TickITplus Overview Benefits from using the Business Process Library (BPL) Constructing your Process Reference Model (PRM) Assessor and practitioners Peter Lawrence JTISC Chairman Peter Lawrence & Phil Willoughby LRQA s ICT Technical Manager 11.15 Break and Refreshments Continued 12.30 Lunch.
Agenda Afternoon How to transition from TickIT to TickITplus using the Core Scheme Requirements (CSR) TickITplus case studies reflecting on experiences implementing TickITplus and lessons learnt: Nexor Ltd Irene Dovey CSC Colin Walford CGI Bill Martin & Paul Breslin 15.30 Break and Refreshments 16.30 Finish. Question and Answers Session Summary and Close Phil Willoughby LRQA s ICT Technical Manager TickITplus panel Peter Lawrence
Welcome and TickITplus Update Peter Lawrence MSc FBCS CITP FCQI CQP Chairman Joint TickIT Industry Standards Committee
The TickITplus Framework Critical dependency on IT systems Changing IT landscape Emerging (converging) standards ISO 20000 (ITIL/Service Management) ISO 27001 (Security Risk Management) ISO 12207 (Software Lifecycle) ISO 15288 (System Lifecycle) Demand for a graded approach (ISO 15504, SPICE) Flexibility and graded costs Differentiation and competitive advantage
The TickITplus Drivers Established in 1991 to address growing concerns in the UK for the supply of dependable software and IT systems Specifies best practice, along with requirements for the formal qualification of ISO 9001 assessors within the IT sector Has been through five revisions, but is not perceived to have kept pace with the changes in the IT industry in particular the growing focus on services over software New approach: to broaden appeal provide an integrated assessment framework regain lost credibility and customer confidence re-vitalise and re-energise auditors.
The TickITplus Enhancements Built on multiple international standards UKAS accredited Third party verified Straightforward migration Up-to-date and competent assessors Focuses on outcomes and business drivers Promotes positive and cooperative relationships with certification body Encourages systematic and ongoing improvement Provides a benchmarking framework
The Clock is Ticking... Existing TickIT approvals will expire by the end of 2014
TickITplus Principle From Conformance to Performance FOUNDATION (Conformance) Establish standard processes across the organisation Integrated Management System (ex.qms) Acting Checking Planning Doing Continual Improvement VISION (Performance) Characterise underlying performance and drive systematic improvement ENTRY Policy and working practices are formally documented BRONZE Processes are systematic and deployed with a managed framework SILVER Processes are measured and a baseline of repeatable performance is established GOLD Process Improvements are implemented through quantitative evaluations PLATINUM Processes are continuously improved Continual improvement achieved through standardization and active assessment
TickITplus Documentation Requirements & Implementation Specification Outline Technical Specification TickITplus Project Documentation Administration Design Specification Technical Design Specification Assessor & Practitioner Qualification Criteria Training Course & Examination Criteria Delivering Quality in IT TickITplus Core Scheme Requirements TickITplus Base Process Library TickITplus Process Guidance TickITplus Requirements for Assessors and Practitioners TickITplus Requirements for Training and Examinations TickITplus Kick Start Guide TickITplus Scheme Documentation TickITplus Implementation Guidance Slide 10
TickITplus Scope Profiles Legal and Compliance Service Management Systems & Software Development & Support Project & Programme Management Corporate Strategy Planning & Management Information Management & Security Product Validation, Quality & Measurement IT Systems Engineering & Infrastructure Dealing with the delivery of products or services within a legal and compliance framework; covering business analysis, corporate responsibility, risk and compliance audit Operations in a service management environment; delivering IT based services to clients either outsourced or internal All aspects of systems and software development, both traditional and new methodologies. Long term support and maintenance. Multidiscipline programme and project delivery as a specialist area: analysis, reporting, risk and general project management. Taking an organisational wide view of IT operations, long term planning, high level management. Delivery of information and systems to meet both data and security requirements. Independent testing and validation of product and services. Ensuring quantitative quality and measurements are applied to product development and delivery. Operations involving network and data handling systems, server farms, data centres and supporting infrastructure.
Scope Profiles and Processes
Implementation and Assessment JTISC Base Process Library Creation & Maintenance Organisations Assessors Certification Bodies Scope Determination and Defining Certification Requirements BPL Process Reference Model Contract Org QMS Assessment Strategy Documentation and PRM Review Readiness Review Assessment Planning Process Assessment Model Report Assessment Schedule Corrective Action & Improvements Conduct Assessment TickITplus Certificate Process Assessment Model Report Technical Review and Certificate Award
Two Modes of Assessment Exploration Confirmation Evidence does not need to be made available at the start of the assessment Evidence of adequate implementation of Base Practices and Work Products must be sought by external assessment team members The evidence must be tested by correlation to other evidence Interview will be used and must include external assessor Evidence is expected to be made available at the start of the assessment Any team member can confirm the evidence The evidence must be tested by correlation with other evidence Multiple samples are not necessary Interviews must be held to confirm the prepared sample and must include external assessor.
Assessment Coverage A calculation based on: Number of people in the TickITplus Scope Number of people covered by the Implemented Process Sample Number of hours effort planned for the Assessment. Assessment Mode F dation Bronze Silver Gold Platinum Confirmation 0.5 1 1.5 1.5 1.5 Exploration 1 2 3 3 3 Slide 15
The Next Steps Capability Assessment (ISO15504) Level 5: Optimising Level 4: Predictable Platinum Gold The Measurement Framework Capability Level Process Attributes Rating Scale Level 3: Established Silver Level 2: Managed Bronze Level 1: Performed Foundation Level 0: Incomplete
Problem Management - A Case Study
Problem Management - A Case Study Identify and Log Problem Categorise Prioritise Investigation and Diagnosis Review again Known Errors Identify Root Causes Solution
Problem Management - A Case Study Reported Incidents (Priority 1 and Priority 2)
Problem Management - A Case Study Reported Incidents
Problem Management - A Case Study Do we always define the problem well enough? (are we likely to have more than one incident related to a single problem type?) Do we always define a true chronology of events that lead to the failure? (NOT just to the resolution of the incident) WHAT happened (to which CI)? Do we always identify the factor(s) that CAUSE the failure (cause and effect)? For example, a physical cause (e.g., hardware failure), a people cause (doing something they should not or not doing something they should), a process or system cause... A Cause or a Symptom? Why? Why? Why? Why? Why? Do we always identify (not just corrective but) true preventative actions? Whilst accepting that there may be no single action that will solve the problem... But a iterative collection of actions could work toward it? Whilst accepting that there may be multiple factors at work and may require multiple types of preventative actions? Do we always define the required outcome for a given action? Do we confirm this was achieved before closing the action? Do we always confirm the impact of completed actions? Has the problem ACTUALLY been eliminated (or at least reduced)?
Transition to TickITplus... What, Why and how? TickITplus Overview Phil Willoughby & Peter Lawrence Presentation slides developed by Dave Wynn Ceng BSc MBCS Lead TickITplus Capability Assessor Omniprove Ltd
So why TickITplus? Background TickIT was introduced in 1991 - over 20 years ago Emphasis on process capabilities and improvement Today It was aimed primarily at software development The IT sector is now much more diverse It provided only guidance Organisations value clearly specified requirements Linked to ISO 9001 it provided only a pass/fail result Desire for better differentials in supplier selection.
Key Benefits For organisations: Encourage and promote continuous improvements Support process development to meet business needs Institutionalise good processes and practices Reduce business risk as capability increases Reduce assessment disruption Involving organisational staff in assessments For customers: Provide better criteria for supplier selection purposes Offer clear indications of suppliers process capabilities Allow better risk management For assessment organisations: Provide a clear, well defined structure for conduction assessments with consistent and repeatable results.
Key Differences and Changes Process orientated, using primarily ISO/IEC 12207:2007 (software lifecycle processes) ISO/IEC 15288:2007 (system life cycle processes) Process capability based on ISO/IEC 15504-2:2003 Extended standards coverage Formal improvements required Changed from guidance to requirements based scheme Active organisational participation in assessments 3 key components Base Process Library (BPL) Process Reference Model (PRM) Process Assessment Model (PAM).
Process Capability Assessments Conducted to gain an appreciation of organisations processes against a defined measurement framework Characterises current practices in terms of the capability of the processes Examines processes to determine the effectiveness in achieving their goals (outcomes) Drives process improvements Using ISO 15504 part 2. leads to Process Improvement Process Assessment invokes motivates leads to Process Capability Determination
15504 Capability Dimension Level 5: Optimising Level 4: Predictable Platinum Gold The Measurement Framework Capability Level Process Attributes Rating Scale Level 3: Established Silver Level 2: Managed Bronze Level 1: Performed Foundation Level 0: Incomplete
Capability Dimension Level 0: Incomplete The process is not implemented or fails to achieve it Purpose Level 1: Performed The implemented process achieves its process purpose Level 2: Managed Level 3: Established The performed process is implemented in a managed fashion and its work products are appropriately established, controlled and maintained The managed process is now implemented using a defined process capable of achieving its process outcomes Level 4: Predictable The established process now operates within defined limits to achieve its process outcomes Level 5: Optimising The predictable process is continuously improved to meet relevant current project and business goals.
Capability Dimension Process Attributes & Generic Practices Level 2 Level 2: Managed PA 2.1 Performance management attribute: a) Objectives established b) Planned and monitored c) Adjusted to meet plans The performed process is implemented in a managed fashion and its work products are appropriately established, controlled and maintained d) Responsibilities and authorities defined, assigned and communicated e) Resources and information are identified, made available, allocated and used f) Interfaces between involved parties are managed.
Capability Dimension Process Attributes & Generic Practices Level 2 Level 2: Managed The performed process is implemented in a managed fashion and its work products are appropriately established, controlled and maintained PA 2.2 Work product management attribute: a) Requirements defined b) Requirements for documentation and control c) Appropriately identified, documented and controlled d) Reviewed in accordance with planned arrangements and adjusted as necessary.
Scheme Stakeholders Joint TickIT Industry Steering Committee (JTISC) Overall scheme control and direction Scheme Office Management Website Management General Administration Registration of Assessors and Practitioners Registration of Training Course Providers Provision of Examinations Standardisation, international harmonisation, certification, accreditation and general public interest requirements IT industry commercial requirements Accreditation of Certification Bodies for TickITplus Slide 31
Revised Documentation Requirements & Implementation Specification Outline Technical Specification TickITplus Project Documentation Administration Design Specification Technical Design Specification Assessor & Practitioner Qualification Criteria Training Course & Examination Criteria Delivering Quality in IT TickITplus Core Scheme Requirements TickITplus Base Process Library TickITplus Process Guidance TickITplus Requirements for Assessors and Practitioners TickITplus Requirements for Training and Examinations TickITplus Kick Start Guide TickITplus Scheme Documentation TickITplus Implementation Guidance Slide 32
Requirements Based Scheme ISO/IEC 20000-1 Service Management ISO 9001 Mandatory for Certification TickITplus Processes ISO/IEC 27001 Information Security Others Others Scope Reference Standards IEC 61508 System Safety ISO 22301 Business Continuity Slide 33
Practitioners Important part of the TickITplus scheme Would typically manage the PRM implementation Drive organisational improvements using TickITplus concepts Covered by recognised training and qualification paths similar to the Assessor route Essential to running effective external assessments Can lead and be a team member on internal assessments Only team member on external assessments but require recognised internal auditor qualification Will have their qualifications and possible conflicts of interest assessed by external team lead Can transition to Assessor with required auditor prerequisites that satisfy national Accreditation Bodies Foundation training is available from 4 Providers.
Grade Qualifications Foundation Quality and IT Skills and Experience Min 5 years (or 4 with IT related degree) in IT related work Min 2 years quality related work Education and Professional Recognised national certificate in Secondary Education at primary level or above Recognised national certificate in an IT related subject at diploma level or above Recognised national quality Lead Auditor registration Assessor CPD Hours Min 25 CPD hours over last 2 years TickITplus qualifications Completion of the TickITplus Foundation Course and examination pass IT Skills Profile (BPL/SFIA) General level 4 across specialist profile (self declared) Level 5 on specialist profile as Lead Qualifying TickITplus Audits Foundation Assessments only None required for Team Member only 5 Assessment Credits and at least 1 assessment as Lead under supervision. (Exemptions for transferring TickIT Auditors) Quality and IT Skills and Experience Min 5 years (or 4 with IT related degree) in IT related work Min 2 years quality related work Education and Professional Recognised national certificate in Secondary Education at primary level or above Recognised national certificate in an IT related subject at diploma level or above Audit experience Recognised national Auditor registration (IRCA or equivalent) to be on an external assessment Practitioner CPD Hours Min 25 CPD hours over last 2 years TickITplus qualifications Completion of the TickITplus Foundation course and examination pass IT Skills Profile (BPL/SFIA) General level 3 across specialist profile (self declared) Level 5 on specialist profile as Internal Lead or External Member Qualifying TickITplus Audits Foundation Internal Assessments None required for Team Member or Lead Foundation External Assessments None required for Team Member
Key Components Base Process Library (BPL) Process Reference Model (PRM) Process Assessment Model (PAM)
BPL Overview It is maintained by JTISC It provides a set of all IT and IT related Processes It describes processes in terms of purpose, outcomes, base practices and work products Base Process Library (BPL) It defines the Scope Profiles and mappings between processes and requirements and reference standards It is used to create Process Reference Models.
TickITplus Processes TYPE A PROCESSES Human Resource Management Management Framework Corporate Management & Legal Infrastructure & Work Environment Management Improvement Measurement & Analysis Customer Focus Risk Management Data and Record Management TYPE M PROCESSES Quantitative Performance Management Quantitative Process Improvement Mandated at Gold and Platinum Level SCOPE DEPENDENT TYPE B/C PROCESSES Capacity Management Integration Management Verification Validation Operations Management Maintenance Management Disposal Requirements Analysis Stakeholder Requirements Definition Service Level Management Transition & Release Management Architecture Design Organisational Processes Technical Processes Development Implementation Continuity, Availability & Contingency Management Acquisition & Contracts Management Supply Management & Business Relationships Lifecycle Model Management Project Portfolio Management Resource Management Security Management Maturity Processes Agreement Processes Domain Engineering Asset and Program Management Project Management Configuration & Change Management Decision Management Information Management Problem & Incident Management IT Finance Management Management Reporting Project Processes IT Specific Processes
What is a Process? Controls Inputs Process Outputs Resources Outcomes S2-0800DP
Example BPL Process Risk Management Process ID ORG.8 Process Name Risk Management Process Category Organisational Processes Type A Process Purpose To avoid or mitigate potential future events that could adversely affect reaching business objectives Version v1r1 Process Outcomes Process Base Practice Input Work Products Risks are managed and business objectives are not adversely affected by unexpected conditions or events. ORG.8.BP.1 Define Risk Management Procedure The organisation s approach for managing risk is defined, reviewed, documented and controlled within the Integrated Management System (IMS). Output Work Products ISO 9001 Risk Management Procedure 4.2.2 b) 4.2.3 ISO 20000 3.2 c) ISO 27000 ORG.8.BP.2 Establish Risk Management Plan Risk management plans are defined for use by the organisation. This risk management plan includes the approach to be taken, roles and responsibilities, timescales and thresholds for triggering action. Business Plan Stakeholder Requirements Risk Management Procedure Risk Management Plan 5.1 a) 5.5.1 A9.2.1 ORG.8.BP.3 Identify and Analyse Risks Risks, both internal and external, are identified, analysed and documented to determine the priority for action. Business Needs Business Objectives Risk Management Plan Risks 8.5.3 4.2 d) A9.2.5 A14.1.2 ORG.8.BP.4 Track Risks The status of each risk is monitored and appropriate actions are taken to address risks, where planned triggers are activated or defined thresholds are exceeded. Actions are reviewed to ascertain their effectiveness and changes made. The risk management documentation is updated with the status of current risks. All actions are tracked to closure and records are maintained. Risk Management Plan Risks Risk Records 8.5.3 4.2 d) ORG.8.BP.5 Report Status and Escalate The status of each risk, together with any actions, is reported to stakeholders. Where actions are not effectively addressing the risk they are escalated. Risk Records Risk Reports 8.5.3 5.6.2 d) 4.2 d) ORG.8.BP.6 Analyse Risk Management Performance Data from across the organisation is reviewed and analysed in order to identify and address common or reoccurring risks. Risks Improvement Request 8.2.3 5.6.3 a) S4-1000DP
Scope Profiles Legal and Compliance Service Management Systems & Software Development & Support Project & Programme Management Corporate Strategy Planning & Management Information Management & Security Product Validation, Quality & Measurement IT Systems Engineering & Infrastructure Dealing with the delivery of products or services within a legal and compliance framework; covering business analysis, corporate responsibility, risk and compliance audit Operations in a service management environment; delivering IT based services to clients either outsourced or internal All aspects of systems and software development, both traditional and new methodologies. Long term support and maintenance. Multidiscipline programme and project delivery as a specialist area: analysis, reporting, risk and general project management. Taking an organisational wide view of IT operations, long term planning, high level management. Delivery of information and systems to meet both data and security requirements. Independent testing and validation of product and services. Ensuring quantitative quality and measurements are applied to product development and delivery. Operations involving network and data handling systems, server farms, data centres and supporting infrastructure.
Scope Profiles and BPL Processes Table 1 in the BPL identifies which Processes are required for each Profile When a Profile is selected all the ticked Processes become mandatory Type B/C becomes B You can be assessed against one or more Profiles AND optionally any other processes Type C processes
PRM Overview It is produced and maintained by the organisation It is derived from the BPL but can be extended for organisational specific process needs Introduces defined processes through tailoring Process Reference Model (PRM) Maps Type-A, Type-B and any Type-C processes used to the organisational IMS Guidance on creating a PRM in ISO/IEC TR 24748, PAS 99, ISO/IEC TR 90005 Primary role of the Practitioner to create the PRM.
Example PRM Defined Process Risk Management
Process Assessment Model Produced by the assessor but involving the organisations Derived from the PRM Identifies the assessment Implemented Processes Sample It brings together process performance and process capability indicators Process Assessment Model (PAM) Records the Process Outcome ratings and identifies associated nonconformances Provides the basis for calculating Process Capability and Organisational Maturity Once completed provides the record of assessment.
Implementation and Assessment JTISC Base Process Library Creation & Maintenance Organisations Assessors Certification Bodies Scope Determination and Defining Certification Requirements BPL Process Reference Model Contract Org QMS Assessment Strategy Documentation and PRM Review Readiness Review Assessment Planning Process Assessment Model Report Assessment Schedule Corrective Action & Improvements Conduct Assessment TickITplus Certificate Process Assessment Model Report Technical Review and Certificate Award
Transition to TickITplus... What, Why and how? How to transition from TickIT to TickITplus Certificate Renewal and Transitional Assessments Foundation Level Phil Willoughby Ceng MBCS CITP MCQI LRQA ICT Technical Manager
TickITplus delivery process Contract Preparation PRM Review Assessment Planning Readiness Review The Assessment Technical review Certification
Contract Preparation Assessment Strategy Scope of Business Number of Staff TickITplus Grade Profile Number of Defined Processes Number and Size of Workgroups Contract Preparation Quotation in mandays.
TickITplus delivery process Contract Preparation PRM Review Assessment Planning Readiness Review The Assessment Technical review Certification
Documentation and PRM Review Assessment Strategy PRM Management System Documents Documentation & PRM Review Report Decision to proceed Non-conformities Versions of all documents.
Review Highlights Alignment of Strategy and PRM Complies with CSR requirements Carried out by the Lead Assessor Preferably on site Demonstrates the organisation understands Ensures the organisation is ready for the Stage 2 Assessment Organisations improvement plan.
TickITplus delivery process Contract Preparation PRM Review Assessment Planning Readiness Review The Assessment Technical review Certification
Assessment Planning Assessment Strategy Improvement Plan Previous PAMs Assessment Reports Assessment Planning Assessment Plan Schedule Resources.
Planning Highlights Can be initiated at any time in the pre-assessment activity Finalised after the Readiness Review Confirmation or exploration modes selected Creates the initial PAM Determines the Implemented Process Sample.
Assessment Readiness Review Has the organisation prepared for the Assessment? internal assessments and corrective action (at Foundation they can be TickIT type) improvement Plan is being implemented and monitored people allocated to plan activities (exploration mode) practitioner required evidence collected by the (confirmation mode) assessment logistics arranged no significant changes since PRM Review or Assessment Planning activities Can be conducted on site or remotely.
TickITplus delivery process Contract Preparation PRM Review Assessment Planning Combined Review Readiness Review The Assessment Technical review Certification
The Assessment opening meeting process verification team agreement on the findings completion of the PAM (other than at a transitional assessment) report generation closing meeting.
Process Verification The defined processes are verified against the PAM by examining the IPS using the agreed assessment mode For Foundation level the single Process Attribute (PA), Process Performance needs to be assessed All defined processes assessed.
Findings Findings are graded following team discussion Positive and negative observations Major and minor non-conformities The characterisation (rating) of PA s is based on the number and type of nonconformities.
Converting findings to ratings Findings Comments and notes FI LI PI NI No findings Positive observations only Negative observations only Team decision based on the balance of positive and negative observation, risks, quantity of observations. Consideration should be given to raising a minor NC. 1 Minor NC Team decision based on the balance of any positive and negative observations and risks Multiple Minor NCs Team decision based on the balance of any positive and negative observations, risks, quantity of NCs. Consideration should be given to raising a major NC 1 Major NC Team decision based on the impact, risks, severity of any minor NCs, or positive and negative observations Multiple Major NCs
TickITplus delivery process Contract Preparation PRM Review Assessment Planning Readiness Review The Assessment Technical review Certification
Certification
Transitional Assessments Designed to be simpler than a full initial or certificate renewal visit: PRM review, Planning and Readiness Review combined PAM not required Only 50% of type B s require assessment Carried out by your regular Lead Assessor No characterisation required.
Transition Integrating with existing six monthly visits Visit Additional Visit Visit + 1 Request Transition PRM, Planning and Readiness Reviews Assessment Visit Additional visit Visit + 1
Summary Transitional Assessments are a gentler route to TickITplus The Core Scheme requirements document explains everything.
Transition to TickITplus... What, Why and how? Nexor s TickITplus Journey Irene Dovey Business Improvement Manager Nexor Ltd
Transition to TickITplus... What, Why and how? TickITplus... what it can do for you Colin Walford Global ISO Certification Manager CSC
Transition to TickITplus... What, Why and how? TickITplus Conformance to performance Bill Martin Assurance and Improvement Manager CGI Paul Breslin ICT Sector Leader UK DNV Business Assurance
Transition to TickITplus... What, Why and how? Question and Answer Session
Transition to TickITplus... What, Why and how? Summary and Close