tickitplus what, why and how?• iso 20000 (itil/service management) • iso 27001 (security risk...
TRANSCRIPT
Transition to TickITplus . . .What, Why and how?
Welcome and Introduction
Peter Lawrence MSc FBCS CITP FCQI CQP
Chairman Joint TickIT Industry Steering Committee
Agenda – Morning Welcome and benefits of TickITplus Peter Lawrence
JTISC Chairman
Overview and components
Benefits from using the Business Process Library (BPL)
Constructing your Process Reference Model (PRM)
David WynnLead TickITplus Capability Assessor
11.15 Break and Refreshments
The Assessment Coverage Index (ACI) . . . Levelling the playing field
Assessor and practitioners
David Wynn
12.30 Lunch.
How to transition from TickIT to TickITplus using the Core Scheme Requirements (CSR)
Phil WilloughbyLRQA’s ICT Technical Manager
TickITplus case studies reflecting on experiencesimplementing TickITplus and lessons learnt:
Nexor Ltd – Irene Dovey
IPL Information Processing Ltd – Graham Gee
Logica UK Ltd – Bill Martin15.30 Break and Refreshments
Question and Answers Session TickITplus panelSummary and Close Phil Willoughby
16.30 Finish.
Agenda – Afternoon
Transition to TickITplus . . .What, Why and how?
Peter Lawrence MSc FBCS CITP FCQI CQP
Chairman Joint TickIT Industry Steering Committee
Welcome and benefits of TickITplus
TickIT Framework
Established in 1992 to address growing concerns in the UK for the supply of dependable software and IT systems
Specifies best practice, along with requirements for the formal qualification of ISO 9001 assessors within the IT sector
Has been through five revisions, but is not perceived to have kept pace with the changes in the IT industry – in particular the growing focus on ‘services’ over ‘software’
New approach• to broaden appeal• provide an integrated assessment framework• regain lost credibility and customer confidence• re-vitalise and re-energise auditors.
TickITplus Drivers
Critical dependency on IT systems
Changing IT landscape
Emerging (converging) standards• ISO 20000 (ITIL/Service Management)• ISO 27001 (Security Risk Management)• ISO 12207 (Software Lifecycle)• ISO 15288 (System Lifecycle)
Demand for a graded approach (ISO 15504, SPICE)
Flexibility and graded costs
Differentiation and competitive advantage.
TickITplus Enhancements
Built on multiple international standards
UKAS accredited
Third party verified
Straightforward migration
Up-to-date and competent assessors
Focuses on outcomes and business drivers
Promotes positive and cooperative relationships with certification body (CB)
Encourages systematic and ongoing improvement
Provides a benchmarking framework.
Do We Need Quality ?
‘The project successfully rejected the established constricting and negative influences or prescriptive engineering, onerous quality requirements and outdated concepts of inspection and client control’
Petrobras 2001 (loss in excess $500M)
Where assessment and certification programmes fail?
Lack of sponsorship and ownership from senior leaders
Insufficient link to business goals and objectives
Questionable business benefits
‘Trophy hunting’
Spiralling costs with no returns
Constrained by the standards and reference models
“It’s all very well you bringing up these certification issues, but we’ve got to deal with real business problems here”
EMEA Service Exec (during Services Board Meeting).
What are the Ingredients for Success ?
The CEO and top leadership is actively involved and committed
The programme is linked to defined strategic goals
Changes and improvements are linked to clear financial payback
Don’t adopt an ‘off the shelf’ solution
Customer focus is critical
Fortune Magazine.
Summary
Performance
Con
form
ance
Processes are chaotic and ‘out of control’ with poor and
unpredictable performance with high cost of quality
Processes are chaotic and ‘out of control’ with poor and
unpredictable performance with high cost of quality
Processes are repeatable, but performance is poor
Processes are repeatable, but performance is poor
ACTIONDrive systematic
improvement in the core process
ACTIONDrive systematic
improvement in the core process
ACTIONApply Standard Process
and robust Quality Assurance
ACTIONApply Standard Process
and robust Quality Assurance
Results are good but processes are non-standard with sub-optimisation
and poor leverage
Results are good but processes are non-standard with sub-optimisation
and poor leverage
ACTIONIdentify best practices and apply to standard
processes
ACTIONIdentify best practices and apply to standard
processes
Processes are repeatable and yield consistently good performance with
high productivity
Processes are repeatable and yield consistently good performance with
high productivity
ACTIONDrive continual
improvement in the core process
ACTIONDrive continual
improvement in the core process
To achieve excellence an organisation must To achieve excellence an organisation must ‘‘standardise processesstandardise processes’’
and drive and drive ’’improvementimprovement’’
TickITplus Principles From Conformance to Performance
Continual ImprovementIntegrated Management System (ex.QMS)
Conformance
P
erformance
ENTRYENTRY
Policy and working practices are formally documented
BRONZEBRONZEProcesses are systematic and deployed with a managed framework
SILVERSILVERProcesses are measured and a baseline of repeatable performance is established
GOLDGOLDProcess Improvements are implemented through quantitative evaluations
PLATINUMPLATINUM
Processes are continuously improved
Continual improvement achieved through standardization and active assessment
. . . cont TickITplus Principles
FOUNDATION(Conformance)
Establish ‘standard’ processes across the organisation
VISION(Performance)
Characterise underlying performance and drive systematic
improvement
The Clock is Ticking . . .
Existing TickIT approvals will expire by the end of 2014
Transition to TickITplus . . .What, Why and how?
Dave Wynn Ceng BSc MBCS
Lead TickITplus Capability AssessorOmniprove Ltd
TickITplus Overview
• Overview and components• Benefits from using the Base Process Library• Constructing your Process Reference Model• The Process Assessment Model• The Assessment Coverage Index
– Levelling the playing field• Assessors and Practitioners
Topics
Background
TickIT was introduced in 1991 - over 20 years ago
It was aimed primarily at software development
It provided only guidance
Linked to ISO 9001 it provided only a pass/fail result
Today
• Emphasis on process capabilities and improvement
• The IT sector is now much more diverse
• Organisations value clearly specified requirements
• Desire for better differentials in supplier selection.
So why TickITplus?
For organisations:• Encourage and promote continuous improvements• Support process development to meet business needs• Institutionalise good processes and practices• Reduce business risk as capability increases• Reduce assessment disruption• Involving organisational staff in assessments
For customers:• Provide better criteria for supplier selection purposes• Offer clear indications of suppliers’ process capabilities• Allow better risk management
For assessment organisations:• Provide a clear, well defined structure for conduction
assessments with consistent and repeatable results.
Key Benefits
Process orientated, using primarily• ISO/IEC 12207:2007 FDIS (software lifecycle processes)• ISO/IEC 15288:2007 FDIS (system life cycle processes)
Process capability based on ISO/IEC 15504-2:2003
Extended standards coverage
Formal improvements required
Changed from guidance to requirements based scheme
Active organisational participation in assessments
3 key components• Base Process Library (BPL)• Process Reference Model (PRM)• Process Assessment Model (PAM).
Key Differences and Changes
Conducted to gain an appreciation of organisations’ processes against a defined measurement framework
Characterises current practices in terms of the capability of the processes
Examines processes to determine the effectiveness in achieving their goals (outcomes)
Drives process improvements
Using ISO 15504 part 2.
Process Capability Assessments
ProcessProcessAssessmentAssessment
ProcessProcessCapabilityCapability
DeterminationDetermination
ProcessProcessImprovementImprovement
invokesinvokes
leads toleads toleads toleads to
motivatesmotivates
Level 5: OptimisingLevel 5: Optimising
Level 3: EstablishedLevel 3: Established
Level 2: ManagedLevel 2: Managed
Level 1: PerformedLevel 1: Performed
Level 0: IncompleteLevel 0: Incomplete
The Measurement The Measurement FrameworkFramework
Platinum
Gold
Silver
Bronze
FoundationCapability LevelProcess Attributes
Rating Scale
Level 4: PredictableLevel 4: Predictable
15504 Capability Dimension
Capability DimensionLevel 0: IncompleteLevel 0: Incomplete The process is not implemented or fails to achieve it
Purpose
Level 1: PerformedLevel 1: Performed The implemented process achieves its process purpose
Level 2: ManagedLevel 2: ManagedThe performed process is implemented in a managed fashion and its work products are appropriately established, controlled and maintained
Level 3: EstablishedLevel 3: EstablishedThe managed process is now implemented using a defined process capable of achieving its process outcomes
Level 4: PredictableLevel 4: Predictable The established process now operates within defined limits to achieve its process outcomes
Level 5: OptimisingLevel 5: Optimising The predictable process is continuously improved to meet relevant current project and business goals.
PA 2.1 Performance management attribute:a) Objectives established
b) Planned and monitored
c) Adjusted to meet plans
d) Responsibilities and authorities defined, assigned and communicated
e) Resources and information are identified, made available, allocated and used
f) Interfaces between involved parties are managed.
Level 2: ManagedLevel 2: ManagedThe performed process is implemented in a managed fashion and its work products are appropriately established, controlled and maintained
& Generic Practices Level 2Capability Dimension – Process Attributes
PA 2.2 Work product management attribute:a) Requirements defined
b) Requirements for documentation and control
c) Appropriately identified, documented and controlled
d) Reviewed in accordance with planned arrangements and adjusted as necessary.
Level 2: ManagedLevel 2: ManagedThe performed process is implemented in a managed fashion and its work products are appropriately established, controlled and maintained
& Generic Practices Level 2Capability Dimension – Process Attributes
Scheme Stakeholders
Slide 24
Joint TickIT Industry Steering Committee (JTISC)Overall scheme control and direction
Standardisation, international harmonisation, certification, accreditation and general public interest requirements
IT industry commercial requirements
Accreditation of Certification Bodies for TickITplus
Registration of Assessors and PractitionersRegistration of Training Course ProvidersProvision of Examinations
Scheme Office ManagementWebsite ManagementGeneral Administration
Revised Documentation
Slide 25
Requirements & Implementation
Specification
Assessor & Practitioner
Qualification Criteria
Training Course & Examination Criteria
Outline Technical Specification
AdministrationDesign
Specification
Technical DesignSpecification
TickITplus ProjectDocumentation
TickITplus Scheme Documentation
TickITplus Core Scheme Requirements
TickITplus Base Process
Library
TickITplus Requirements for Assessors
and Practitioners
TickITplus Requirements
for Training and
Examinations
TickITplus Process
Guidance
TickITplus Kick Start Guide
TickITplus Implementation
Guidance
Delivering Quality in IT
TickITplus TickITplus ProcessesProcesses
ISO 9001ISO 9001Mandatory for Mandatory for CertificationCertification
ISO/IEC 20000Service Management
ISO/IEC 27001Information Security
Others
Scope Reference StandardsScope Reference StandardsIEC 61508 System SafetyBS 25999 Business Continuity
Others
Requirements Based Scheme
Slide 26
Important part of the TickITplus scheme• Would typically manage the PRM implementation• Drive organisational improvements using TickITplus concepts• Covered by recognised training and qualification paths similar to the
Assessor route• Essential to running effective external assessments• Can lead and be a team member on internal assessments • Only team member on external assessments but require recognised
internal auditor qualification• Will have their qualifications and possible conflicts of interest
assessed by external team lead• Can transition to Assessor with required auditor
prerequisites that satisfy national Accreditation Bodies
Foundation training is available from LRQA and ITG.
Practitioners
Grade Qualifications – Foundation
AssessorQuality and IT Skills
and Experience Education and Professional CPD Hours TickITplus qualifications
IT Skills Profile (BPL/SFIA)
Qualifying TickITplus Audits
• Min 5 years (or 4 with IT related degree) in IT related work
• Min 2 years quality related work
• Recognised national certificate in Secondary Education at primary level or above
• Recognised national certificate in an IT related subject at diploma level or above
• Recognised national quality Lead Auditor registration
• Min 25 CPD hours over last 2 years
• Completion of the TickITplus Foundation Course and examination pass
• General level 4 across specialist profile (self declared)
• Level 5 on specialist profile as Lead
• Foundation Assessments only
• None required for Team Member only
• 5 Assessment Credits and at least 1 assessment as Lead under supervision.
• (Exemptions for transferring TickIT Auditors)
PractitionerQuality and IT Skills
and Experience Education and Professional CPD Hours TickITplus qualifications
IT Skills Profile (BPL/SFIA)
Qualifying TickITplus Audits
• Min 5 years (or 4 with IT related degree) in IT related work
• Min 2 years quality related work
• Recognised national certificate in Secondary Education at primary level or above
• Recognised national certificate in an IT related subject at diploma level or above
• Audit experience • Recognised national Auditor
registration (IRCA or equivalent) to be on an external assessment
• Min 25 CPD hours over last 2 years
• Completion of the TickITplus Foundation course and examination pass
• General level 3 across specialist profile (self declared)
• Level 5 on specialist profile as Internal Lead or External Member
• Foundation Internal Assessments
• None required for Team Member or Lead
• Foundation External Assessments
• None required for Team Member
Base Process Library(BPL)
Process Reference Model (PRM)
Process Assessment Model (PAM)
Key Components
It is maintained by JTISC
It provides a set of all IT and IT related Processes
It describes processes in terms of purpose, outcomes, base practices and work products
It defines the Scope Profiles and mappings between processes and requirements and reference standards
It is used to create Process Reference Models.
Base Process Library(BPL)
BPL Overview
TickITplus Processes
• Quantitative Performance Management
• Quantitative Process Improvement
• Project Management• Configuration & Change
Management• Decision Management• Information Management• Problem & Incident
Management• IT Finance Management• Management Reporting
• Capacity Management• Integration Management• Verification• Validation• Operations Management• Maintenance Management• Disposal• Requirements Analysis• Stakeholder Requirements Definition• Service Level Management• Transition & Release Management• Architecture Design
• Development Implementation• Continuity, Availability &
Contingency Management
• Domain Engineering• Asset and Program
Management
Mandated at Gold and Platinum Level
TYPE M PROCESSESTYPE M PROCESSES
SCOPE DEPENDENT TYPE B/C PROCESSESSCOPE DEPENDENT TYPE B/C PROCESSES
TYPE A PROCESSESTYPE A PROCESSES
• Data and Record Management
• Lifecycle Model Management• Project Portfolio Management• Resource Management• Security Management
Organisational Processes
• Human Resource Management• Management Framework• Corporate Management & Legal• Infrastructure & Work Environment
Management• Improvement• Measurement & Analysis• Customer Focus• Risk Management
Technical Processes
Maturity Processes
Agreement Processes
Project Processes
IT Specific Processes
• Acquisition & Contracts Management
• Supply Management & Business Relationships
OutcomesOutcomes
ResourcesResources
ControlsControls
OutputsOutputsInputsInputs ProcessProcess
S2‐0800DP
What is a Process?
S4‐1000DP
Process ID ORG.8 Process Name Risk Management Process Category Organisational Processes Type A
Process Purpose To avoid or mitigate potential future events that could adversely affect reaching business objectives Version v1r1
Process Outcomes Process Base Practice InputWork Products
OutputWork Products
ISO 9001 ISO 20000
ISO 27000
Risks are managed and business objectives are not adversely affected by unexpected conditions or events.
ORG.8.BP.1 Define Risk Management Procedure
The organisation’s approach for managing risk is defined, reviewed, documented and controlled within the Integrated Management System (IMS).
Risk Management Procedure 4.2.2 b)
4.2.3
3.2 c)
ORG.8.BP.2 Establish Risk Management Plan
Risk management plans are defined for use by the organisation. This risk management plan includes the approach to be taken, roles and responsibilities, timescales and thresholds for triggering action.
Business Plan
Stakeholder Requirements
Risk Management Procedure
Risk Management Plan 5.1 a)
5.5.1
A9.2.1
ORG.8.BP.3 Identify and Analyse Risks
Risks, both internal and external, are identified, analysed and documented to determine the priority for action.
Business Needs
Business Objectives
Risk Management Plan
Risks 8.5.3 4.2 d) A9.2.5
A14.1.2
ORG.8.BP.4 Track Risks
The status of each risk is monitored and appropriate actions are taken to address risks, where planned triggers are activated or defined thresholds are exceeded. Actions are reviewed to ascertain their effectiveness and changes made. The risk management documentation is updated with the status of current risks.
All actions are tracked to closure and records are maintained.
Risk Management Plan
Risks
Risk Records 8.5.3 4.2 d)
ORG.8.BP.5 Report Status and Escalate
The status of each risk, together with any actions, is reported to stakeholders. Where actions are not effectively addressing the risk they are escalated.
Risk Records Risk Reports 8.5.3
5.6.2 d)
4.2 d)
ORG.8.BP.6 Analyse Risk Management Performance
Data from across the organisation is reviewed and analysed in order to identify and address common or reoccurring risks.
Risks Improvement Request 8.2.3
5.6.3 a)
Example BPL Process – Risk Management
Service Management
Systems & Software Development & Support
Project & Programme Management
Legal and Compliance
Corporate Strategy Planning & Management
Information Management & Security
Product Validation, Quality & Measurement
IT Systems Engineering & Infrastructure
Dealing with the delivery of products or services within a legal and compliance framework; covering business analysis, corporate responsibility, risk and compliance audit
Operations in a service management environment; delivering IT based services to clients – either outsourced or internal
All aspects of systems and software development, both traditional and new methodologies. Long term support and maintenance.
Multidiscipline programme and project delivery as a specialist area: analysis, reporting, risk and general project management.
Taking an organisational wide view of IT operations, long term planning, high level management.
Delivery of information and systems to meet both data and security requirements.
Independent testing and validation of product and services. Ensuring quantitative quality and measurements are applied to product development and delivery.
Operations involving network and data handling systems, server farms, data centres and supporting infrastructure.
Scope Profiles
Scope Profiles and BPL Processes
It is produced and maintained by the organisation
It is derived from the BPL but can be extended for organisational specific process needs
Introduces defined processes through ‘tailoring’
Maps Type-A, Type-B and any Type-C processes used to the organisational IMS
Guidance on creating a PRM in ISO/IEC TR 24748, PAS 99 ISO/IEC TR 90005
Primary role of the Practitioner to create the PRM.
PRM Overview
Process Reference Model (PRM)
Example PRM Defined Process – Risk Management
Produced by the assessor but involving the organisations
Derived from the PRM
Identifies the assessment Implemented Processes Sample
It brings together process performance and process capability indicators
Records the Process Outcome ratings and identifies associated non- conformances
Provides the basis for calculating Process Capability and Organisational Maturity
Once completed provides the record of assessment.
Process Assessment Model
(PAM)
Process Assessment Model
OrganisationsOrganisations AssessorsAssessors Certification BodiesCertification BodiesJTISCJTISCBase Process Library
Creation & Maintenance Scope Determination and Defining Certification Requirements
Process Reference ModelBPL
Org QMS
Documentation and PRM ReviewReadiness Review
Assessment Planning
Contract
Process Assessment Model Report
Assessment Schedule
Corrective Action & Improvements
Conduct Assessment
Assessment Strategy
Implementation and Assessment
Process Assessment Model Report
Technical Review andCertificate AwardTickITplus Certificate
Exploration
• Evidence does not need to be made available at the start of the assessment
• Evidence of adequate implementation of Base Practices and Work Products must be sought by external assessment team members
• The evidence must be tested by correlation to other evidence
• Interview will be used and must include external assessor
Confirmation
• Evidence is expected to be made available at the start of the assessment
• Any team member can confirm the evidence
• The evidence must be tested by correlation with other evidence
• Multiple samples are not necessary• Interviews must be held to confirm the
prepared sample and must include external assessor.
Exploration or Confirmation
A calculation based on:• Number of people in the TickITplus Scope• Number of people covered by the Implemented Process Sample• Number of hours effort planned for the Assessment.
Slide 41
Assessment Coverage Index
Assessment Mode F’dation Bronze Silver Gold Platinum
Confirmation 0.5 1 1.5 1.5 1.5
Exploration 1 2 3 3 3
Transition to TickITplus . . .What, Why and how?
How to transition from TickIT to TickITplus
Certificate Renewal and Transitional Assessments Foundation Level
Phil Willoughby LRQA ICT Technical Manager
TickITplus delivery process
Contract Preparation
Assessment Planning
Readiness Review
The Assessment
Technical review
Certification
PRM Review
Contract Preparation
• Assessment Strategy• Scope of Business• Number of Staff• TickITplus Grade• Profile• Number of Defined
Processes• Number and Size of
Workgroups
Quotation in mandays.
Contract Preparation
TickITplus delivery process
Contract Preparation
Assessment Planning
Readiness Review
The Assessment
Technical review
Certification
PRM Review
Documentation and PRM Review
Report• Decision to
proceed• Non-conformities• Versions of all
documents.
• Assessment Strategy
• PRM• Management
SystemDocuments
Documentation & PRM Review
Review Highlights
Alignment of Strategy and PRM
Complies with CSR requirements
Carried out by the Lead Assessor
Preferably on site
Demonstrates the organisation understands
Ensures the organisation is ready for the Stage 2 Assessment
Organisations improvement plan.
TickITplus delivery process
Contract Preparation
Assessment Planning
Readiness Review
The Assessment
Technical review
Certification
PRM Review
Assessment Planning
• Assessment Strategy
• Improvement Plan• Previous PAMs• Assessment
Reports
• Assessment Plan
• Schedule• Resources.
Assessment Planning
Planning Highlights
Can be initiated at any time in the pre-assessment activity
Finalised after the Readiness Review
Confirmation or exploration modes selected
Creates the initial PAM
Determines the Implemented Process Sample.
Assessment Readiness Review
Has the organisation prepared for the Assessment?
• internal assessments and corrective action (at Foundation they can be TickIT type)
• improvement Plan is being implemented and monitored
• people allocated to plan activities (exploration mode)
• practitioner required evidence collected by the Practitioner (confirmation mode)
• assessment logistics arranged
• no significant changes since PRM Review or Assessment Planning activities
Can be conducted on site or remotely.
TickITplus delivery process
Contract Preparation
Assessment Planning
Readiness Review
The Assessment
Technical review
Certification
PRM Review Combined
Review
The Assessment
opening meeting
process verification
team agreement on the findings
completion of the PAM (other than at a transitional assessment)
report generation
closing meeting.
Process Verification
The defined processes are verified against the PAM by examining the IPS using the agreed assessment mode
For Foundation level the single Process Attribute (PA), Process Performance needs to be assessed
All defined processes assessed.
Findings
Findings are graded following team discussion• Positive and negative observations• Major and minor non-conformities
The characterisation (rating) of PA’s is based on the number and type of nonconformities.
Converting findings to ratings
Findings Comments and notes FI LI PI NI
No findings
Positive observations only
Negative observations only
Team decision based on the balance of positive and negative observation, risks, quantity of observations. Consideration should be given to raising a minor NC.
1 Minor NC Team decision based on the balance of any positive and negative observations and risks
Multiple Minor NCs
Team decision based on the balance of any positive and negative observations, risks, quantity of NCs. Consideration should be given to raising a major NC
1 Major NCTeam decision based on the impact, risks, severity of any minor NCs, or positive and negative observations
Multiple Major NCs
TickITplus delivery process
Contract Preparation
Assessment Planning
Readiness Review
The Assessment
Technical review
Certification
PRM Review
Certification
Transitional Assessments
Designed to be simpler than a full initial or certificate renewal visit:
• PRM review, Planning and Readiness Review combined
• PAM not required
• Only 50% of type B’s require assessment
• Carried out by your regular Lead Assessor
• No characterisation required.
Transition – Integrating with Existing Monthly Visits
Visit + 1
Visit
Request Transition
Visit
Visit + 1
PRM, Planning and Readiness Reviews
Assessment
Additional Visit
Additional visit
Summary
Transitional Assessments are a gentler route to TickITplus
The Core Scheme requirements document explains everything.
Transition to TickITplus . . .What, Why and how?
TickITplus Conformance to performance
Bill MartinAssurance and Improvement ManagerLogica UK Ltd
Transition to TickITplus . . .What, Why and how?
TickITplus . . . what it can do for you
Graham GeeQuality and InfoSec ManagerIPL
IPL Background
• Trusted, independent consulting & solutions house• 30+ year track record• 260 staff, £28m+ turnover• Business/mission critical contexts• Consistently exceed expectations
• Multiple market sectors• Aerospace & Defence• Banking & Finance• Civil Government incl.
• Emergency Services• Transport
• Telecoms & Utilities.
Official Business Partner
IPL’s origins more than 30 years ago in UK Aerospace & Defence
Objective since 1979 “to provide customers with high quality, high reliability software within timescale, budget and specification”
“Quality is the responsibility of all individuals within the Company”
More than 20 years ago (before SEI’s CMM existed)
• By 1988 IPL’s QMS and processes were aligned to the international standard ISO 9001 and a few years later the TickIT software sector-specific scheme
• TickIT was largely adopted by the UK software development industry
• Especially in IPL’s core market sector with high quality requirements.
IPL’s focus on Quality
Certifications & Affiliations
ISO 9001:2008/TickIT ISO 27001:2005 ISO 14001:2004
Was launched in 2011
3-year ‘clock’ to migrate from TickIT started ticking in Dec 2011
Adds process capability assessment, with levels mapped to international standard ISO/IEC 15504, similar to CMMI
So moves TickIT to same basis as CMMI but also• Backed by UK plc (including BSI, BCS, Intellect, MoD)
• Integral part of certification to international standard ISO 9001 by certification bodies such as BSI, LRQA and DNV
• Requires mapping of project, technical, organisational, IT-specific, agreement and maturity processes to the Base Processes Library.
TickITplus
TickIT lead auditor course in 2006:
• Declining interest in the scheme; only one accredited trainer in the UK
• Auditor and company registrations dropping; only ever good practice guidance
• CMMI stolen march in India and elsewhere from its US origins
Joined IPL in Oct 2007 aiming to bring QMS into 21st century
Long experience in Quality/TickIT and with BCS.
Steps to TickITplus: 2006-2010
TickITplus coming ‘soon’ as UK alternative to CMMI . . .
• But took a long time and there was chronic lack of communication
Occasional pressure around CMMI in questionnaires and responses
• Happened again at end of 2010 around Thales preferred supplier selection
Transition of Certification Body to LRQA – December 2010.
Steps to TickITplus: 2006-2010
Kept the faith – information sessions hosted at Intellect, early 2011
Speculative gap analysis cf. list of process titles – March/April 2011
Assessor/practitioner training by Dave Wynn for IT Governance – June 2011
Base Process Library (BPL) finally published – also June 2011
Confirmed gap analysis (cf. BPL) –> 1st draft PRM – July 2011
3-year ‘clock’ to migrate from TickIT started ticking in Dec 2011
LRQA Stage 1 assessment – end Sept 2011 -> 3 Minor N/Cs
LRQA Stage 2 assessment – Dec 2011 -> certification but raised 7 new Minor N/Cs (just before Christmas!) and Corrective Action Plan
Continuing assessment – end Mar 2012 – closed all TickITplus N/Cs.
Steps to TickITplus: during 2011
Eight scope profiles (currently two)
40 processes: original BPL had 22 (organisational, project and technical)
Mapped to four international standards• ISO 9001• ISO 20000 and ISO 27001 – resp. Q2/Q3 2012• ISO 15504 – basis laid but rest later, possibly 2013
Combined assessor/practitioner training – overseen by gasq
Currently three UK Certification Bodies (BSI, DNV, LRQA)
Run by Joint TickIT Industry Steering Committee (JTISC)
What does TickITplus involve?
Measurement and AnalysisProcess ID ORG.6 Process Name Measurement and Analysis Category Organizational Processes Type A
Process Purpose To provide information to enable better decision making. Version v1r0
Process Outcome Process Base Practices Input Work Products Output Work Products ISO 9001
OU.1 Measurements are used to demonstrate achievement of business objectives, to support decisions and identify improvement.
BP.1 Define Measurement and Analysis Policy and Procedures Policies are established, approved and communicated to ensure that measures are identified, collected, analysed, reported and used, to support the achievement of the business plan. Procedures are established for developing measures against key business objectives, to understand performance. The procedures define the method for identifying, collecting, storing, analysing and using measures. Policies and procedures are periodically reviewed and updated in line with the business plan. The policies and procedures are maintained under the management framework.
Business Plan Measurement Policy Measurement Procedures
4.2.1d) 4.2.3
Measurement is embedded in the top-level documents for each management system. There is a specific Integrated Management Procedure (IMP02) focussed on audit and improvement
[Business Needs] Strategy, Objectives, Targets, Key Performance Measures
Quality Policy IS and ISMS Policies IMP02, Audit and Improvement
BP.2 Identify Measurement Objectives and Data The organization establishes where measures are necessary and identifies the objectives and data sources necessary to achieve them. The objectives and data sources are reviewed and agreed by stakeholders.
Business Plan Stakeholder Requirements
Measurement Objectives Measurement Data Sources
5.4.1
Company-level measurement objectives are defined for each management system. The top-level objectives for the services business are in the SBM. There are more detailed measurement objectives in a document for Operations which informs the specific objectives for each software project. These are reviewed and agreed by the Quality Review Board (QRB, comprising COO, CTO and Quality Manager) for Quality, and the IS Forum for InfoSec.
Strategy, Objectives, Targets, Key Performance Measures Quality Policy IS and ISMS Policies
Quality Objectives Services Business Manual Operations Quality Objectives Quality Plan: Quality Objectives ISMS Overview
BP.3 Collect and Analyse Measurement Data Measurement data is collected and stored in line with the collection method. The measurement data is validated and any need for additional measurement is identified The measurement data is analysed to provide indicators and recommendations to stakeholders.
Measurement Objectives Measurement Data Sources
Measurement and Analysis DataMeasurement And Analysis Report
8.2.3 8.2.4 8.4
Project ManagementProcess ID PRJ.1 Process Name Project Management Category Project Procedures Type B/C
Process Purpose To ensure that the projects meet their objectives. Version v1r0
Process Outcome Process Base Practices Input Work Products Output Work Products ISO 9001
OU.1 The organization achieves project objectives in a controlled manner, and delivery is on time, in budget and to quality.
BP.1 Establish Project Management Policies and Procedures Policies are established, approved and communicated that govern the project management methodology and the delivery of projects. Procedures are defined, approved and made available for use, to implement the project management policies. The procedures cover project planning, tailoring, estimating, monitoring and control, resourcing, reporting, escalation, together with supplier, stakeholder, risk and issue management The policies and procedures are maintained under the management framework.
Business Plan Project Management Policies Project Management Procedures
4.2.1d) 4.2.3
The Delivery Manual contains the processes related to project management. It was reviewed and approved by a subset of the Board and Exec Committee. Supporting documents provide additional procedures. They are made available via the intranet.
Strategy Annual Business Plan Services Business Manual
Delivery Manual SCOP-R: Project Control Quality Objectives Management Procedure 2: Progress Reporting SCOP-P 9001, Risk Management
BP.2 Scope the Project A scope statement is defined for the project with deliverables agreed by stakeholders. The quality objectives and the requirements for the project are established and documented. Objectives, constraints and assumptions are recorded and agreed before project initiation Projects select and tailor the appropriate lifecycle model, and the rationale is documented. Estimates are produced against the agreed scope, including any necessary contingency. A budget for the work to be undertaken is prepared. The scope, objectives, constraints, selected approach, estimates and budget are reviewed by stakeholders and approved by management.
Stakeholder Requirements Scope Statement 7.2.1 7.2.2
Project scope and estimates will have been defined as part of the proposal process. The Delivery Manual and SCOP-R describe how to initiate a project. The Project Plan and Quality Plan set out the key aspects for the project to be delivered.
Invitation to Tender/Request for Proposal Proposal Delivery Manual: Initiate Project SCOP-R: Project Control Operations Quality Objectives
Project Plan Quality Plan: Project Lifecycle
Architectural DesignProcess ID TEC.13 Process Name Architectural Design Category Technical Processes Type B/C
Process Purpose To produce a top-level design that identifies the major components and interfaces of the product. Version v1r0
Process Outcome Process Base Practices Input Work Products Output Work Products ISO 9001
OU.1 The top-level design addresses all the system requirements, with no defects found in development.
BP.1 Establish Development Approach Different development approaches are considered in formulating the architecture design, and an approach is selected that best meets the system requirements. The selection decision and supporting rationale is documented, reviewed and approved.
Lifecycle Model Description and Assets
Selected Lifecycle 7.1 7.3.1
Initial development approach is captured in quality plan. Refined during requirements and design stages. SCOP-P 800x, Software Development Methods ETC Agile Framework
Quality Plan
BP.2 Create Architectural Design The top-level design is created taking into account the architectural standards of the organization. The major components and interfaces necessary to meet the system requirements are identified. System requirements are traceable to the major components. Interfaces include interactions between system components, and between the system and the external environment. Design constraints, assumptions and dependencies are documented.
System Requirements Top Level Design Traceability Report
4.2.1d) 4.2.3 7.3.3 7.5.3
The system is designed to ensure that it meets the system requirements, external interfaces and selected design standards. Design specifications are produced in line with the design methodology selected. SCOP-P 2001 provides the default format and content for design specs. The approach to traceability depends upon customer requirements, the nature of system under development and any applicable standards (e.g. higher levels of DO-178B) plus the design methodology and modelling tools being used.
System Requirements Spec Quality Plan: Design Process SCOP-P 200x, design standards
High Level Design Traceability Matrix
BP.3 Review Architectural Design The top-level design is reviewed by stakeholders to ensure all system requirements have been adequately addressed. The customer is advised of any adverse impact on cost, schedule and customer needs arising from the proposed top-level design, along with possible alternatives.
Top Level Design Review Records Top Level Design Customer Notifications
7.2.3 7.3.4 7.3.5 7.3.6
The review approach is defined in the Quality Plan. Detailed reviews can include Preliminary and Critical Design Reviews with customer involvement.
High Level Design Quality Plan: Review Process SCOP-P 4001, Review Standards
High Level Design Review Records
BP.4 Manage Architecture Changes Changes to the top-level design are formally controlled through the change control process. Changes to the top-level design are reviewed by stakeholders for their impact on cost, schedule and customer needs. The results of the review are communicated to stakeholders, and records maintained.
Change Request Change Record 4.2.4 7.2.3b) 7.3.7
What has TickITplus done for us?
So where do you want to be?
From Everett Rogers, Diffusion of Innovations, 1962
Modern, pragmatic, detailed process/practice requirements NOT good practice guidance (cf. TickIT) and less bureaucratic than CMMI
TickITplus Foundation level (BPL v1.0 with 22 processes) is equivalent to CMMI Levels 2/3 (resp. 7/11 processes)
Based on international standards - ISO 9001 with ISO 15504 (aka. SPICE) capability maturity dimension to be added
Regular, professional and independently assured assessments by certification bodies - currently BSI, DNV and LRQA in the UK cf. CMMI
Initially external assessment costs are higher (number of processes) BUT combined assessments across ISO 20000 and ISO 27001 will help.
TickITplus lessons/benefits
Some processes were initially challenging and may need improving/redefining/discussing with LRQA
• Configuration/change management Integration management
• Transition/release management Stakeholder requirements
• Lifecycle model management Improvement
LRQA’s recertification visit at end of August 2012
Extension to cover ISO 27001 later in 2012?
Could consider adding additional scope profiles?
Move up to Bronze (OK) and Silver (difficult) when available
Share the good news with the UK IT community via BCS, LRQA, Intellect, with Omniprove and Nexor.
IPL – where next with TickITplus?
Questions?
Dr Graham Gee FBCS CITP TSSFQuality & InfoSec [email protected] 475287
Eveleigh HouseGrove StreetBath BA1 5LR01225 475000
Transition to TickITplus . . .What, Why and how?
Nexor’s TickITplus Journey
Irene DoveyBusiness Improvement ManagerNexor Ltd
TickITplus and Nexor
connect transform protect
Company Profile
Our Positioning
Confidential
Unclassified
TS
Secret
Restricted
High AssuranceImpact levels 4-6
Specialised requirementsBaseline components
Tailored, accreditable solutions
Medium AssuranceImpact level 3
Specialist COTS productScheme assessment
Standard AssuranceLow impact levels
Commodity COTS productsWide choice
Nexor COTS productsMicrosoft ready
Full professional services package
Nexor CapabilityAcknowledged domain expertise
End-to-end serviceAccreditation ready ‘OTS’ framework
Process maturity
Our Customers and Partners
End Customers
• Bulgarian MOD• Canadian DND• CSEC• European Defence
Agency• French MOD• GCHQ• Government of
Canada• Italian Navy• NATO• Netherlands Navy• Niteworks• Slovak Army• UK MOD
System Integrators
• Cassidian• CSC• Elta-R• Force Vision• Fujitsu• GD• HP• Interactive sbc• Logica• QinetiQ• Scientia• Selex• Steria• Ultra Electronics
Partners
• Accuvant• Ascentor• BAE Systems• Boldon James• FOX-IT• IPL• Microsoft• Red Hat• RJD Technology• Titus Labs• Tresys
Our Maturity
Our TickITplus journey . . .
ISO9001 / TickIT and ISO270001 in place for a number of years
Became interested in CMMI around 2006
Used the CMMI framework to widen and deepen the scope of improvement activities
Came to a point where we felt ready for formal CMMI Scampi appraisal . . .
. . . but just could not justify the cost (money and effort!).
So, how did we get to TickITplus?
Attended a business improvement workshop at Intellect in 2009 and first heard of TickITplus
Liked the sound of what we heard and volunteered to get involved in the Pilot Scheme
Slow start and not a lot happened for a while . . .
Then things started to move with changes to the Committee (JTISC) and we became involved in producing the Base Process Library (BPL).
So, how did we get to TickITplus?
Liked what we saw of the BPL and internally decided to use it asa tool to undertake a gap analysis
confirming which practices we were doing
and identifying ones which we weren’t!
Where possible, we involved staff relevant to the particular area
From this, we developed an improvement action plan
capturing areas where we could improve
and also where we could do things more simply.
Improvement Action Plan – example . . . Action
NoImprovement
ActivityAction Benefits Owner Date
CreatedBy When
1 Risk Management Framework procedure does not differentiate sufficiently between business and project risks
Procedure to be updated and circulated for review. Comments / suggestions requested by 05/11/2010.
A generic risk management approach across the Business.
IHD 01/11/201 005/11/2010 Reviewed, updated and published on the
Intranet 10.11.2010.
Action complete.
2 Size measurement in estimation
Currently collecting requirements vs actual effort metrics as a starting point.
To improve and validate estimation
AJK 01/11/201 031/01/2011 06.01.2011: Current requirements size
measure is not effective. Further size measures are currently being reviewed.
11.02.2011: Consideration to reviewing GQM for this area - maybe incorporate complexity or number of user stories.
13.04.2011: Ongoing.3 Product Lifecycle
Management Need to clarify our approach to new lifecycles in the PMF.
To aid understanding of approach to Agile development which is new to the business.
AJK 01/11/201 030/11/2010 06.01.2011: PMF updated to include this.
Action complete.
7 Measurement and Analysis needs reviewing
Policy will be updated and consideration will be given to whether a dedicated procedure is required.
Note: M&A is currently incorporated in Developing and Improving Policies and Procedures procedure.
To aid identification of key areas where metrics may prove useful in monitoring and improving performance.
IHD 01/11/201 031/01/2011 06.01.2011: Policy updated.
06.01.2011: AMP will review and update the current Metrics spreadsheet. IHD will review the Developing and Improving Processes and Procedures procedure and make recommendation on what is required.
11.02.2011: AMP to upload revised List of Metrics spreadsheet for comment. IHD to update D&IPP procedure in line with recommendations.
5.04.2011: Metrics re-circulated for comment (to AJK, KJB, IHD)
24 QA, Documentation and Record Control would benefit from an approval matrix for each type of document
Update the procedure Ensure clarity for document approval
DEF 01/11/201 002.12.2010 10.11.2010: Procedure update.
Action complete
So, how did we get to TickITplus?
Then decided to formally adopt TickITplus
In preparation:• undertook Practitioner training in April 2010• started working on our Process Reference Model (PRM)• liaised with LRQA and sought guidance from Dave Wynn
Stage 1 Foundation-level assessment early December 2010
Stage 2 Foundation-level assessment mid-December 2010
. . . and became the first to become certified to TickITplus.
What have we gained?
Basically, TickITplus has reinvigorated our improvement activities!
BPL offers good practice over and above the Standards it incorporates
Mapping existing practices to BPL is a good way of doing a gap analysis to identify areas for improvement
Provides sound basis if the Process Area is new or is not currently effective
Opportunity to get the people who do the work to complete their Process Area (collaboration)
Demonstrates a commitment to quality to customers.
What have we learned?
External assessments are more rigorous• initially and on an on-going basis• no places to hide!
More time-consuming and does require preparation• initially and on an on-going basis
Because more time is required, there is a cost implication• transition and tri-annual assessments (not surveillance visits).
Now and where to next?
Since initial assessment, three surveillance visits• Momentum keeps going• Getting smarter (BPL becoming leading rather than lagging)
Looking to adopt the next phase of TickITplus which incorporates ISO 20000
• To help in developing our service offering
Plan to progress TickITplus through the capability route.
Nexor Ltd
Any queries or for more information on how we approached TickITplus
Irene DoveyBusiness Improvement ManagerNexor [email protected]: 0115 9520509
Transition to TickITplus . . .What, Why and how?
Question and Answer Session
Transition to TickITplus . . .What, Why and how?
Summary and Close