I recently evaluated a consulting client's IT infrastructure and operational capabilities using COBIT, which is an assessment standard originally developed in the UK and now used worldwide. I found COBIT to be very useful for this task at the management/process level, although it doesn't really get into the technical details. Here's how I used it, and how you might find it useful too...
COBIT identifies a set of 34 "processes" that the authors consider essential for IT success. These 34 processes are grouped into 4 major categories:
- Planning & Organization
- Acquisition & Implementation
- Delivery & Support
For each of these processes, there's a numerical "maturity level" evaluation on a 0-5 scale:
- 0 -- Non-Existent -- Management processes are not applied at all
- 1 -- Initial -- Processes are ad hoc and disorganised
- 2 -- Repeatable -- Processes follow a regular pattern
- 3 -- Defined -- Processes are documented and communicated
- 4 -- Managed -- Processes are monitored and measured
- 5 -- Optimised -- Best practices are followed and automated
You can use this scale for each process to evaluate a number of different things:
- What level your organization is currently at
- What level your organization should be (or wants to be)
- What level is considered "best practice" in your industry
- What level the best of your competitors have achieved
This is totally a self-applied tool that you can use within your organization. There's no requirement that an outside agency administer the assessment and certify the results or anything like that (though there are plenty of consultants who would be happy to do so).
You can find a great variety of free information, discussion, and guidance about the tool on the COBIT web site.
Of all the material on the web site, I found the Management Guidelines booklet to be the most useful; it's available as a free PDF after registration. Besides general information on how to use COBIT, the Management Guidelines includes a very useful 2-page spread for each of the 34 processes. On the left-hand side of the spread, it talks about what this particular process is all about, and give examples of what you'd see in an organization that was really doing this process right, as well as key goal and performance indicators that you can track to see how well you're handling this process. On the right-hand side of the spread, there are sample statements to help you figure out which of the 0-5 capability level applies to your current situation.
For example, one of the "Delivery & Support" processes is "Manage the Configuration". For that process, they give the following sample statements to illustrate various capability maturity levels:
- Level 0 -- Non-Existent -- Management does not have an appreciation of the benefits of having a process in place that is capable of reporting on and managing the IT infrastructure, for either hardware or software configurations.
- Level 1 -- Initial/Ad Hoc-- The need for configuration management is recognised. Basic configuration management tasks, such as maintaining inventories of hardware and software, are performed on an individual basis. No standard practices are applied.
- Level 2 -- Repeatable but Intuitive -- Management is aware of the benefits of controlling the IT configuration but there is implicit reliance on technical personnel knowledge and expertise. Configuration management tools are being employed to a certain degree, but differ among platforms. Moreover, no standard working practices have been defined. Configuration data content is limited and not used by interrelated processes, such as change management and problem management.
- Level 3 ...
- Level 4 ...
- Level 5 ...
For this particular consulting engagement, the client's goal was to figure out where they were and where they ought to be, from an IT operational standpoint. I used COBIT as a framework for discussion with each member of the client's team. I prepared a simple survey spreadsheet with a page for each staff member, which listed each of the COBIT processes and allowed them to specify their assessment of "Current" and "Target" levels for each process.
I met with each staff member individually to complete their survey spreadsheet interactively, so that I could discuss the issues with them and answer questions about interpretation and application to their particular environment (and thus, hopefully, get data that was more readily comparable between individuals), and so that I could capture any additional insightful comments that they made about each process.
When all the survey interviews were finished, I created a spreadsheet that summarized the survey data from all of the interviews. This summary let us see things like what folks felt the current and target levels were for each process, as well as how much agreement (or disagreement) there was about those levels. This summary is being used by the organization as a framework for further debate and discussion within the organization about what level they're at, why they're at that level, what level they wish to be at, and how to get from where they are to where they want to be.
COBIT does a good job of addressing the high-level processes that an IT organization needs to have a handle on, but it doesn't get into any of the technical details. For instance there's one process called "Manage Data", in the "Delivery & Support" category, which covers everything like filesystem organization and naming, backup procedures and mechanisms, capacity management, and so forth. If you want to dig into the technical details of your operation, then you'll need additional tools, such as Geoff Halprin's SA-BOK (System Administration Book of Knowledge).