tickitplus what, why and how?• iso 20000 (itil/service management) • iso 27001 (security risk...

Transition to TickITplus . . .What, Why and how?

Welcome and Introduction

Peter Lawrence MSc FBCS CITP FCQI CQP

Chairman Joint TickIT Industry Steering Committee

Agenda – Morning Welcome and benefits of TickITplus Peter Lawrence

JTISC Chairman

Overview and components

Benefits from using the Business Process Library (BPL)

Constructing your Process Reference Model (PRM)

David WynnLead TickITplus Capability Assessor

11.15 Break and Refreshments

The Assessment Coverage Index (ACI) . . . Levelling the playing field

Assessor and practitioners

David Wynn

12.30 Lunch.

How to transition from TickIT to TickITplus using the Core Scheme Requirements (CSR)

Phil WilloughbyLRQA’s ICT Technical Manager

TickITplus case studies reflecting on experiencesimplementing TickITplus and lessons learnt:

Nexor Ltd – Irene Dovey

IPL Information Processing Ltd – Graham Gee

Logica UK Ltd – Bill Martin15.30 Break and Refreshments

Question and Answers Session TickITplus panelSummary and Close Phil Willoughby

16.30 Finish.

Agenda – Afternoon


Peter Lawrence MSc FBCS CITP FCQI CQP

Chairman Joint TickIT Industry Steering Committee

Welcome and benefits of TickITplus

TickIT Framework

Established in 1992 to address growing concerns in the UK for the supply of dependable software and IT systems

Specifies best practice, along with requirements for the formal qualification of ISO 9001 assessors within the IT sector

Has been through five revisions, but is not perceived to have kept pace with the changes in the IT industry – in particular the growing focus on ‘services’ over ‘software’

New approach• to broaden appeal• provide an integrated assessment framework• regain lost credibility and customer confidence• re-vitalise and re-energise auditors.

TickITplus Drivers

Critical dependency on IT systems

Changing IT landscape

Emerging (converging) standards• ISO 20000 (ITIL/Service Management)• ISO 27001 (Security Risk Management)• ISO 12207 (Software Lifecycle)• ISO 15288 (System Lifecycle)

Demand for a graded approach (ISO 15504, SPICE)

Flexibility and graded costs

Differentiation and competitive advantage.

TickITplus Enhancements

Built on multiple international standards

UKAS accredited

Third party verified

Straightforward migration

Up-to-date and competent assessors

Focuses on outcomes and business drivers

Promotes positive and cooperative relationships with certification body (CB)

Encourages systematic and ongoing improvement

Provides a benchmarking framework.

Do We Need Quality ?

‘The project successfully rejected the established constricting and negative influences or prescriptive engineering, onerous quality requirements and outdated concepts of inspection and client control’

Petrobras 2001 (loss in excess $500M)

Where assessment and certification programmes fail?

Lack of sponsorship and ownership from senior leaders

Insufficient link to business goals and objectives

Questionable business benefits

‘Trophy hunting’

Spiralling costs with no returns

Constrained by the standards and reference models

“It’s all very well you bringing up these certification issues, but we’ve got to deal with real business problems here”

EMEA Service Exec (during Services Board Meeting).

What are the Ingredients for Success ?

The CEO and top leadership is actively involved and committed

The programme is linked to defined strategic goals

Changes and improvements are linked to clear financial payback

Don’t adopt an ‘off the shelf’ solution

Customer focus is critical

Fortune Magazine.

Summary

Performance

Con

form

ance

Processes are chaotic and ‘out of control’ with poor and

unpredictable performance with high cost of quality

Processes are chaotic and ‘out of control’ with poor and

unpredictable performance with high cost of quality

Processes are repeatable, but performance is poor

Processes are repeatable, but performance is poor

ACTIONDrive systematic

improvement in the core process

ACTIONDrive systematic


ACTIONApply Standard Process

and robust Quality Assurance

ACTIONApply Standard Process

and robust Quality Assurance

Results are good but processes are non-standard with sub-optimisation

and poor leverage

Results are good but processes are non-standard with sub-optimisation

and poor leverage

ACTIONIdentify best practices and apply to standard

processes

ACTIONIdentify best practices and apply to standard

processes

Processes are repeatable and yield consistently good performance with

high productivity

Processes are repeatable and yield consistently good performance with

high productivity

ACTIONDrive continual


ACTIONDrive continual


To achieve excellence an organisation must To achieve excellence an organisation must ‘‘standardise processesstandardise processes’’

and drive and drive ’’improvementimprovement’’

TickITplus Principles From Conformance to Performance

Continual ImprovementIntegrated Management System (ex.QMS)

Conformance

P

erformance

ENTRYENTRY

Policy and working practices are formally documented

BRONZEBRONZEProcesses are systematic and deployed with a managed framework

SILVERSILVERProcesses are measured and a baseline of repeatable performance is established

GOLDGOLDProcess Improvements are implemented through quantitative evaluations

PLATINUMPLATINUM

Processes are continuously improved

Continual improvement achieved through standardization and active assessment

. . . cont TickITplus Principles

FOUNDATION(Conformance)

Establish ‘standard’ processes across the organisation

VISION(Performance)

Characterise underlying performance and drive systematic

improvement

The Clock is Ticking . . .

Existing TickIT approvals will expire by the end of 2014


Dave Wynn Ceng BSc MBCS

Lead TickITplus Capability AssessorOmniprove Ltd

TickITplus Overview

• Overview and components• Benefits from using the Base Process Library• Constructing your Process Reference Model• The Process Assessment Model• The Assessment Coverage Index

– Levelling the playing field• Assessors and Practitioners

Topics

Background

TickIT was introduced in 1991 - over 20 years ago

It was aimed primarily at software development

It provided only guidance

Linked to ISO 9001 it provided only a pass/fail result

Today

• Emphasis on process capabilities and improvement

• The IT sector is now much more diverse

• Organisations value clearly specified requirements

• Desire for better differentials in supplier selection.

So why TickITplus?

For organisations:• Encourage and promote continuous improvements• Support process development to meet business needs• Institutionalise good processes and practices• Reduce business risk as capability increases• Reduce assessment disruption• Involving organisational staff in assessments

For customers:• Provide better criteria for supplier selection purposes• Offer clear indications of suppliers’ process capabilities• Allow better risk management

For assessment organisations:• Provide a clear, well defined structure for conduction

assessments with consistent and repeatable results.

Key Benefits

Process orientated, using primarily• ISO/IEC 12207:2007 FDIS (software lifecycle processes)• ISO/IEC 15288:2007 FDIS (system life cycle processes)

Process capability based on ISO/IEC 15504-2:2003

Extended standards coverage

Formal improvements required

Changed from guidance to requirements based scheme

Active organisational participation in assessments

3 key components• Base Process Library (BPL)• Process Reference Model (PRM)• Process Assessment Model (PAM).

Key Differences and Changes

Conducted to gain an appreciation of organisations’ processes against a defined measurement framework

Characterises current practices in terms of the capability of the processes

Examines processes to determine the effectiveness in achieving their goals (outcomes)

Drives process improvements

Using ISO 15504 part 2.

Process Capability Assessments

ProcessProcessAssessmentAssessment

ProcessProcessCapabilityCapability

DeterminationDetermination

ProcessProcessImprovementImprovement

invokesinvokes

leads toleads toleads toleads to

motivatesmotivates

Level 5: OptimisingLevel 5: Optimising

Level 3: EstablishedLevel 3: Established

Level 2: ManagedLevel 2: Managed

Level 1: PerformedLevel 1: Performed

Level 0: IncompleteLevel 0: Incomplete

The Measurement The Measurement FrameworkFramework

Platinum

Gold

Silver

Bronze

FoundationCapability LevelProcess Attributes

Rating Scale

Level 4: PredictableLevel 4: Predictable

15504 Capability Dimension

Capability DimensionLevel 0: IncompleteLevel 0: Incomplete The process is not implemented or fails to achieve it

Purpose

Level 1: PerformedLevel 1: Performed The implemented process achieves its process purpose

Level 2: ManagedLevel 2: ManagedThe performed process is implemented in a managed fashion and its work products are appropriately established, controlled and maintained

Level 3: EstablishedLevel 3: EstablishedThe managed process is now implemented using a defined process capable of achieving its process outcomes

Level 4: PredictableLevel 4: Predictable The established process now operates within defined limits to achieve its process outcomes

Level 5: OptimisingLevel 5: Optimising The predictable process is continuously improved to meet relevant current project and business goals.

PA 2.1 Performance management attribute:a) Objectives established

b) Planned and monitored

c) Adjusted to meet plans

d) Responsibilities and authorities defined, assigned and communicated

e) Resources and information are identified, made available, allocated and used

f) Interfaces between involved parties are managed.


& Generic Practices Level 2Capability Dimension – Process Attributes

PA 2.2 Work product management attribute:a) Requirements defined

b) Requirements for documentation and control

c) Appropriately identified, documented and controlled

d) Reviewed in accordance with planned arrangements and adjusted as necessary.


& Generic Practices Level 2Capability Dimension – Process Attributes

Scheme Stakeholders

Slide 24

Joint TickIT Industry Steering Committee (JTISC)Overall scheme control and direction

Standardisation, international harmonisation, certification, accreditation and general public interest requirements

IT industry commercial requirements

Accreditation of Certification Bodies for TickITplus

Registration of Assessors and PractitionersRegistration of Training Course ProvidersProvision of Examinations

Scheme Office ManagementWebsite ManagementGeneral Administration

http://www.intellectuk.org/

http://images.google.com/imgres?imgurl=http://ashakhetanmedical.com/ukas.jpg&imgrefurl=http://ashakhetanmedical.com/doppler.htm&usg=__nAnAOX_CC0Tw3AfTOcL3Kqd2_WU=&h=477&w=385&sz=35&hl=en&start=18&um=1&tbnid=Mcf_gGJ9xElpcM:&tbnh=129&tbnw=104&prev=/images?q=ukas&hl=en&rls=com.microsoft:en-gb:IE-SearchBox&rlz=1I7ADBF&sa=N&um=1

http://www.gasq.org/index.php?sitelang=en

Revised Documentation

Slide 25

Requirements & Implementation

Specification

Assessor & Practitioner

Qualification Criteria

Training Course & Examination Criteria

Outline Technical Specification

AdministrationDesign

Specification

Technical DesignSpecification

TickITplus ProjectDocumentation

TickITplus Scheme Documentation

TickITplus Core Scheme Requirements

TickITplus Base Process

Library

TickITplus Requirements for Assessors

and Practitioners

TickITplus Requirements

for Training and

Examinations

TickITplus Process

Guidance

TickITplus Kick Start Guide

TickITplus Implementation

Guidance

Delivering Quality in IT

TickITplus TickITplus ProcessesProcesses

ISO 9001ISO 9001Mandatory for Mandatory for CertificationCertification

ISO/IEC 20000Service Management

ISO/IEC 27001Information Security

Others

Scope Reference StandardsScope Reference StandardsIEC 61508 System SafetyBS 25999 Business Continuity

Others

Requirements Based Scheme

Slide 26

Important part of the TickITplus scheme• Would typically manage the PRM implementation• Drive organisational improvements using TickITplus concepts• Covered by recognised training and qualification paths similar to the

Assessor route• Essential to running effective external assessments• Can lead and be a team member on internal assessments • Only team member on external assessments but require recognised

internal auditor qualification• Will have their qualifications and possible conflicts of interest

assessed by external team lead• Can transition to Assessor with required auditor

prerequisites that satisfy national Accreditation Bodies

Foundation training is available from LRQA and ITG.

Practitioners

Grade Qualifications – Foundation

AssessorQuality and IT Skills

and Experience Education and Professional CPD Hours TickITplus qualifications

IT Skills Profile (BPL/SFIA)

Qualifying TickITplus Audits

• Min 5 years (or 4 with IT related degree) in IT related work

• Min 2 years quality related work

• Recognised national certificate in Secondary Education at primary level or above

• Recognised national certificate in an IT related subject at diploma level or above

• Recognised national quality Lead Auditor registration

• Min 25 CPD hours over last 2 years

• Completion of the TickITplus Foundation Course and examination pass

• General level 4 across specialist profile (self declared)

• Level 5 on specialist profile as Lead

• Foundation Assessments only

• None required for Team Member only

• 5 Assessment Credits and at least 1 assessment as Lead under supervision.

• (Exemptions for transferring TickIT Auditors)

PractitionerQuality and IT Skills

and Experience Education and Professional CPD Hours TickITplus qualifications

IT Skills Profile (BPL/SFIA)

Qualifying TickITplus Audits

• Min 5 years (or 4 with IT related degree) in IT related work

• Min 2 years quality related work

• Recognised national certificate in Secondary Education at primary level or above

• Recognised national certificate in an IT related subject at diploma level or above

• Audit experience • Recognised national Auditor

registration (IRCA or equivalent) to be on an external assessment

• Min 25 CPD hours over last 2 years

• Completion of the TickITplus Foundation course and examination pass

• General level 3 across specialist profile (self declared)

• Level 5 on specialist profile as Internal Lead or External Member

• Foundation Internal Assessments

• None required for Team Member or Lead

• Foundation External Assessments

• None required for Team Member

Base Process Library(BPL)

Process Reference Model (PRM)

Process Assessment Model (PAM)

Key Components

It is maintained by JTISC

It provides a set of all IT and IT related Processes

It describes processes in terms of purpose, outcomes, base practices and work products

It defines the Scope Profiles and mappings between processes and requirements and reference standards

It is used to create Process Reference Models.

Base Process Library(BPL)

BPL Overview

TickITplus Processes

• Quantitative Performance Management

• Quantitative Process Improvement

• Project Management• Configuration & Change

Management• Decision Management• Information Management• Problem & Incident

Management• IT Finance Management• Management Reporting

• Capacity Management• Integration Management• Verification• Validation• Operations Management• Maintenance Management• Disposal• Requirements Analysis• Stakeholder Requirements Definition• Service Level Management• Transition & Release Management• Architecture Design

• Development Implementation• Continuity, Availability &

Contingency Management

• Domain Engineering• Asset and Program

Management

Mandated at Gold and Platinum Level

TYPE M PROCESSESTYPE M PROCESSES

SCOPE DEPENDENT TYPE B/C PROCESSESSCOPE DEPENDENT TYPE B/C PROCESSES

TYPE A PROCESSESTYPE A PROCESSES

• Data and Record Management

• Lifecycle Model Management• Project Portfolio Management• Resource Management• Security Management

Organisational Processes

• Human Resource Management• Management Framework• Corporate Management & Legal• Infrastructure & Work Environment

Management• Improvement• Measurement & Analysis• Customer Focus• Risk Management

Technical Processes

Maturity Processes

Agreement Processes

Project Processes

IT Specific Processes

• Acquisition & Contracts Management

• Supply Management & Business Relationships

OutcomesOutcomes

ResourcesResources

ControlsControls

OutputsOutputsInputsInputs ProcessProcess

S2‐0800DP

What is a Process?

S4‐1000DP

Process ID ORG.8 Process Name Risk Management Process Category Organisational Processes Type A

Process Purpose To avoid or mitigate potential future events that could adversely affect reaching business objectives Version v1r1

Process Outcomes Process Base Practice InputWork Products

OutputWork Products

ISO 9001 ISO 20000

ISO 27000

Risks are managed and business objectives are not adversely affected by unexpected conditions or events.

ORG.8.BP.1 Define Risk Management Procedure

The organisation’s approach for managing risk is defined, reviewed, documented and controlled within the Integrated Management System (IMS).

Risk Management Procedure 4.2.2 b)

4.2.3

3.2 c)

ORG.8.BP.2 Establish Risk Management Plan

Risk management plans are defined for use by the organisation. This risk management plan includes the approach to be taken, roles and responsibilities, timescales and thresholds for triggering action.

Business Plan

Stakeholder Requirements

Risk Management Procedure

Risk Management Plan 5.1 a)

5.5.1

A9.2.1

ORG.8.BP.3 Identify and Analyse Risks

Risks, both internal and external, are identified, analysed and documented to determine the priority for action.

Business Needs

Business Objectives

Risk Management Plan

Risks 8.5.3 4.2 d) A9.2.5

A14.1.2

ORG.8.BP.4 Track Risks

The status of each risk is monitored and appropriate actions are taken to address risks, where planned triggers are activated or defined thresholds are exceeded. Actions are reviewed to ascertain their effectiveness and changes made. The risk management documentation is updated with the status of current risks.

All actions are tracked to closure and records are maintained.

Risk Management Plan

Risks

Risk Records 8.5.3 4.2 d)

ORG.8.BP.5 Report Status and Escalate

The status of each risk, together with any actions, is reported to stakeholders. Where actions are not effectively addressing the risk they are escalated.

Risk Records Risk Reports 8.5.3

5.6.2 d)

4.2 d)

ORG.8.BP.6 Analyse Risk Management Performance

Data from across the organisation is reviewed and analysed in order to identify and address common or reoccurring risks.

Risks Improvement Request 8.2.3

5.6.3 a)

Example BPL Process – Risk Management

Service Management

Systems & Software Development & Support

Project & Programme Management

Legal and Compliance

Corporate Strategy Planning & Management

Information Management & Security

Product Validation, Quality & Measurement

IT Systems Engineering & Infrastructure

Dealing with the delivery of products or services within a legal and compliance framework; covering business analysis, corporate responsibility, risk and compliance audit

Operations in a service management environment; delivering IT based services to clients – either outsourced or internal

All aspects of systems and software development, both traditional and new methodologies. Long term support and maintenance.

Multidiscipline programme and project delivery as a specialist area: analysis, reporting, risk and general project management.

Taking an organisational wide view of IT operations, long term planning, high level management.

Delivery of information and systems to meet both data and security requirements.

Independent testing and validation of product and services. Ensuring quantitative quality and measurements are applied to product development and delivery.

Operations involving network and data handling systems, server farms, data centres and supporting infrastructure.

Scope Profiles

Scope Profiles and BPL Processes

It is produced and maintained by the organisation

It is derived from the BPL but can be extended for organisational specific process needs

Introduces defined processes through ‘tailoring’

Maps Type-A, Type-B and any Type-C processes used to the organisational IMS

Guidance on creating a PRM in ISO/IEC TR 24748, PAS 99 ISO/IEC TR 90005

Primary role of the Practitioner to create the PRM.

PRM Overview

Process Reference Model (PRM)

Example PRM Defined Process – Risk Management

Produced by the assessor but involving the organisations

Derived from the PRM

Identifies the assessment Implemented Processes Sample

It brings together process performance and process capability indicators

Records the Process Outcome ratings and identifies associated non- conformances

Provides the basis for calculating Process Capability and Organisational Maturity

Once completed provides the record of assessment.

Process Assessment Model

(PAM)

Process Assessment Model

OrganisationsOrganisations AssessorsAssessors Certification BodiesCertification BodiesJTISCJTISCBase Process Library

Creation & Maintenance Scope Determination and Defining Certification Requirements

Process Reference ModelBPL

Org QMS

Documentation and PRM ReviewReadiness Review

Assessment Planning

Contract

Process Assessment Model Report

Assessment Schedule

Corrective Action & Improvements

Conduct Assessment

Assessment Strategy

Implementation and Assessment

Process Assessment Model Report

Technical Review andCertificate AwardTickITplus Certificate

Exploration

• Evidence does not need to be made available at the start of the assessment

• Evidence of adequate implementation of Base Practices and Work Products must be sought by external assessment team members

• The evidence must be tested by correlation to other evidence

• Interview will be used and must include external assessor

Confirmation

• Evidence is expected to be made available at the start of the assessment

• Any team member can confirm the evidence

• The evidence must be tested by correlation with other evidence

• Multiple samples are not necessary• Interviews must be held to confirm the

prepared sample and must include external assessor.

Exploration or Confirmation

A calculation based on:• Number of people in the TickITplus Scope• Number of people covered by the Implemented Process Sample• Number of hours effort planned for the Assessment.

Slide 41

Assessment Coverage Index

Assessment Mode F’dation Bronze Silver Gold Platinum

Confirmation 0.5 1 1.5 1.5 1.5

Exploration 1 2 3 3 3


How to transition from TickIT to TickITplus

Certificate Renewal and Transitional Assessments Foundation Level

Phil Willoughby LRQA ICT Technical Manager

TickITplus delivery process

Contract Preparation

Assessment Planning

Readiness Review

The Assessment

Technical review

Certification

PRM Review


• Assessment Strategy• Scope of Business• Number of Staff• TickITplus Grade• Profile• Number of Defined

Processes• Number and Size of

Workgroups

Quotation in mandays.




Assessment Planning

Readiness Review

The Assessment

Technical review

Certification

PRM Review

Documentation and PRM Review

Report• Decision to

proceed• Non-conformities• Versions of all

documents.

• Assessment Strategy

• PRM• Management

SystemDocuments

Documentation & PRM Review

Review Highlights

Alignment of Strategy and PRM

Complies with CSR requirements

Carried out by the Lead Assessor

Preferably on site

Demonstrates the organisation understands

Ensures the organisation is ready for the Stage 2 Assessment

Organisations improvement plan.



Assessment Planning

Readiness Review

The Assessment

Technical review

Certification

PRM Review

Assessment Planning

• Assessment Strategy

• Improvement Plan• Previous PAMs• Assessment

Reports

• Assessment Plan

• Schedule• Resources.

Assessment Planning

Planning Highlights

Can be initiated at any time in the pre-assessment activity

Finalised after the Readiness Review

Confirmation or exploration modes selected

Creates the initial PAM

Determines the Implemented Process Sample.

Assessment Readiness Review

Has the organisation prepared for the Assessment?

• internal assessments and corrective action (at Foundation they can be TickIT type)

• improvement Plan is being implemented and monitored

• people allocated to plan activities (exploration mode)

• practitioner required evidence collected by the Practitioner (confirmation mode)

• assessment logistics arranged

• no significant changes since PRM Review or Assessment Planning activities

Can be conducted on site or remotely.



Assessment Planning

Readiness Review

The Assessment

Technical review

Certification

PRM Review Combined

Review

The Assessment

opening meeting

process verification

team agreement on the findings

completion of the PAM (other than at a transitional assessment)

report generation

closing meeting.

Process Verification

The defined processes are verified against the PAM by examining the IPS using the agreed assessment mode

For Foundation level the single Process Attribute (PA), Process Performance needs to be assessed

All defined processes assessed.

Findings

Findings are graded following team discussion• Positive and negative observations• Major and minor non-conformities

The characterisation (rating) of PA’s is based on the number and type of nonconformities.

Converting findings to ratings

Findings Comments and notes FI LI PI NI

No findings

Positive observations only

Negative observations only

Team decision based on the balance of positive and negative observation, risks, quantity of observations. Consideration should be given to raising a minor NC.

1 Minor NC Team decision based on the balance of any positive and negative observations and risks

Multiple Minor NCs

Team decision based on the balance of any positive and negative observations, risks, quantity of NCs. Consideration should be given to raising a major NC

1 Major NCTeam decision based on the impact, risks, severity of any minor NCs, or positive and negative observations

Multiple Major NCs



Assessment Planning

Readiness Review

The Assessment

Technical review

Certification

PRM Review

Certification

Transitional Assessments

Designed to be simpler than a full initial or certificate renewal visit:

• PRM review, Planning and Readiness Review combined

• PAM not required

• Only 50% of type B’s require assessment

• Carried out by your regular Lead Assessor

• No characterisation required.

Transition – Integrating with Existing Monthly Visits

Visit + 1

Visit

Request Transition

Visit

Visit + 1

PRM, Planning and Readiness Reviews

Assessment

Additional Visit

Additional visit

Summary

Transitional Assessments are a gentler route to TickITplus

The Core Scheme requirements document explains everything.


TickITplus Conformance to performance

Bill MartinAssurance and Improvement ManagerLogica UK Ltd


TickITplus . . . what it can do for you

Graham GeeQuality and InfoSec ManagerIPL

IPL Background

• Trusted, independent consulting & solutions house• 30+ year track record• 260 staff, £28m+ turnover• Business/mission critical contexts• Consistently exceed expectations

• Multiple market sectors• Aerospace & Defence• Banking & Finance• Civil Government incl.

• Emergency Services• Transport

• Telecoms & Utilities.

Official Business Partner

IPL’s origins more than 30 years ago in UK Aerospace & Defence

Objective since 1979 “to provide customers with high quality, high reliability software within timescale, budget and specification”

“Quality is the responsibility of all individuals within the Company”

More than 20 years ago (before SEI’s CMM existed)

• By 1988 IPL’s QMS and processes were aligned to the international standard ISO 9001 and a few years later the TickIT software sector-specific scheme

• TickIT was largely adopted by the UK software development industry

• Especially in IPL’s core market sector with high quality requirements.

IPL’s focus on Quality

Certifications & Affiliations

ISO 9001:2008/TickIT ISO 27001:2005 ISO 14001:2004

Was launched in 2011

3-year ‘clock’ to migrate from TickIT started ticking in Dec 2011

Adds process capability assessment, with levels mapped to international standard ISO/IEC 15504, similar to CMMI

So moves TickIT to same basis as CMMI but also• Backed by UK plc (including BSI, BCS, Intellect, MoD)

• Integral part of certification to international standard ISO 9001 by certification bodies such as BSI, LRQA and DNV

• Requires mapping of project, technical, organisational, IT-specific, agreement and maturity processes to the Base Processes Library.

TickITplus

TickIT lead auditor course in 2006:

• Declining interest in the scheme; only one accredited trainer in the UK

• Auditor and company registrations dropping; only ever good practice guidance

• CMMI stolen march in India and elsewhere from its US origins

Joined IPL in Oct 2007 aiming to bring QMS into 21st century

Long experience in Quality/TickIT and with BCS.

Steps to TickITplus: 2006-2010

TickITplus coming ‘soon’ as UK alternative to CMMI . . .

• But took a long time and there was chronic lack of communication

Occasional pressure around CMMI in questionnaires and responses

• Happened again at end of 2010 around Thales preferred supplier selection

Transition of Certification Body to LRQA – December 2010.

Steps to TickITplus: 2006-2010

Kept the faith – information sessions hosted at Intellect, early 2011

Speculative gap analysis cf. list of process titles – March/April 2011

Assessor/practitioner training by Dave Wynn for IT Governance – June 2011

Base Process Library (BPL) finally published – also June 2011

Confirmed gap analysis (cf. BPL) –> 1st draft PRM – July 2011

3-year ‘clock’ to migrate from TickIT started ticking in Dec 2011

LRQA Stage 1 assessment – end Sept 2011 -> 3 Minor N/Cs

LRQA Stage 2 assessment – Dec 2011 -> certification but raised 7 new Minor N/Cs (just before Christmas!) and Corrective Action Plan

Continuing assessment – end Mar 2012 – closed all TickITplus N/Cs.

Steps to TickITplus: during 2011

Eight scope profiles (currently two)

40 processes: original BPL had 22 (organisational, project and technical)

Mapped to four international standards• ISO 9001• ISO 20000 and ISO 27001 – resp. Q2/Q3 2012• ISO 15504 – basis laid but rest later, possibly 2013

Combined assessor/practitioner training – overseen by gasq

Currently three UK Certification Bodies (BSI, DNV, LRQA)

Run by Joint TickIT Industry Steering Committee (JTISC)

What does TickITplus involve?

Measurement and AnalysisProcess ID ORG.6 Process Name Measurement and Analysis Category Organizational Processes Type A

Process Purpose To provide information to enable better decision making. Version v1r0

Process Outcome Process Base Practices Input Work Products Output Work Products ISO 9001

OU.1 Measurements are used to demonstrate achievement of business objectives, to support decisions and identify improvement.

BP.1 Define Measurement and Analysis Policy and Procedures Policies are established, approved and communicated to ensure that measures are identified, collected, analysed, reported and used, to support the achievement of the business plan. Procedures are established for developing measures against key business objectives, to understand performance. The procedures define the method for identifying, collecting, storing, analysing and using measures. Policies and procedures are periodically reviewed and updated in line with the business plan. The policies and procedures are maintained under the management framework.

Business Plan Measurement Policy Measurement Procedures

4.2.1d) 4.2.3

Measurement is embedded in the top-level documents for each management system. There is a specific Integrated Management Procedure (IMP02) focussed on audit and improvement

[Business Needs] Strategy, Objectives, Targets, Key Performance Measures

Quality Policy IS and ISMS Policies IMP02, Audit and Improvement

BP.2 Identify Measurement Objectives and Data The organization establishes where measures are necessary and identifies the objectives and data sources necessary to achieve them. The objectives and data sources are reviewed and agreed by stakeholders.

Business Plan Stakeholder Requirements

Measurement Objectives Measurement Data Sources

5.4.1

Company-level measurement objectives are defined for each management system. The top-level objectives for the services business are in the SBM. There are more detailed measurement objectives in a document for Operations which informs the specific objectives for each software project. These are reviewed and agreed by the Quality Review Board (QRB, comprising COO, CTO and Quality Manager) for Quality, and the IS Forum for InfoSec.

Strategy, Objectives, Targets, Key Performance Measures Quality Policy IS and ISMS Policies

Quality Objectives Services Business Manual Operations Quality Objectives Quality Plan: Quality Objectives ISMS Overview

BP.3 Collect and Analyse Measurement Data Measurement data is collected and stored in line with the collection method. The measurement data is validated and any need for additional measurement is identified The measurement data is analysed to provide indicators and recommendations to stakeholders.

Measurement Objectives Measurement Data Sources

Measurement and Analysis DataMeasurement And Analysis Report

8.2.3 8.2.4 8.4

Project ManagementProcess ID PRJ.1 Process Name Project Management Category Project Procedures Type B/C

Process Purpose To ensure that the projects meet their objectives. Version v1r0


OU.1 The organization achieves project objectives in a controlled manner, and delivery is on time, in budget and to quality.

BP.1 Establish Project Management Policies and Procedures Policies are established, approved and communicated that govern the project management methodology and the delivery of projects. Procedures are defined, approved and made available for use, to implement the project management policies. The procedures cover project planning, tailoring, estimating, monitoring and control, resourcing, reporting, escalation, together with supplier, stakeholder, risk and issue management The policies and procedures are maintained under the management framework.

Business Plan Project Management Policies Project Management Procedures

4.2.1d) 4.2.3

The Delivery Manual contains the processes related to project management. It was reviewed and approved by a subset of the Board and Exec Committee. Supporting documents provide additional procedures. They are made available via the intranet.

Strategy Annual Business Plan Services Business Manual

Delivery Manual SCOP-R: Project Control Quality Objectives Management Procedure 2: Progress Reporting SCOP-P 9001, Risk Management

BP.2 Scope the Project A scope statement is defined for the project with deliverables agreed by stakeholders. The quality objectives and the requirements for the project are established and documented. Objectives, constraints and assumptions are recorded and agreed before project initiation Projects select and tailor the appropriate lifecycle model, and the rationale is documented. Estimates are produced against the agreed scope, including any necessary contingency. A budget for the work to be undertaken is prepared. The scope, objectives, constraints, selected approach, estimates and budget are reviewed by stakeholders and approved by management.

Stakeholder Requirements Scope Statement 7.2.1 7.2.2

Project scope and estimates will have been defined as part of the proposal process. The Delivery Manual and SCOP-R describe how to initiate a project. The Project Plan and Quality Plan set out the key aspects for the project to be delivered.

Invitation to Tender/Request for Proposal Proposal Delivery Manual: Initiate Project SCOP-R: Project Control Operations Quality Objectives

Project Plan Quality Plan: Project Lifecycle

Architectural DesignProcess ID TEC.13 Process Name Architectural Design Category Technical Processes Type B/C

Process Purpose To produce a top-level design that identifies the major components and interfaces of the product. Version v1r0


OU.1 The top-level design addresses all the system requirements, with no defects found in development.

BP.1 Establish Development Approach Different development approaches are considered in formulating the architecture design, and an approach is selected that best meets the system requirements. The selection decision and supporting rationale is documented, reviewed and approved.

Lifecycle Model Description and Assets

Selected Lifecycle 7.1 7.3.1

Initial development approach is captured in quality plan. Refined during requirements and design stages. SCOP-P 800x, Software Development Methods ETC Agile Framework

Quality Plan

BP.2 Create Architectural Design The top-level design is created taking into account the architectural standards of the organization. The major components and interfaces necessary to meet the system requirements are identified. System requirements are traceable to the major components. Interfaces include interactions between system components, and between the system and the external environment. Design constraints, assumptions and dependencies are documented.

System Requirements Top Level Design Traceability Report

4.2.1d) 4.2.3 7.3.3 7.5.3

The system is designed to ensure that it meets the system requirements, external interfaces and selected design standards. Design specifications are produced in line with the design methodology selected. SCOP-P 2001 provides the default format and content for design specs. The approach to traceability depends upon customer requirements, the nature of system under development and any applicable standards (e.g. higher levels of DO-178B) plus the design methodology and modelling tools being used.

System Requirements Spec Quality Plan: Design Process SCOP-P 200x, design standards

High Level Design Traceability Matrix

BP.3 Review Architectural Design The top-level design is reviewed by stakeholders to ensure all system requirements have been adequately addressed. The customer is advised of any adverse impact on cost, schedule and customer needs arising from the proposed top-level design, along with possible alternatives.

Top Level Design Review Records Top Level Design Customer Notifications

7.2.3 7.3.4 7.3.5 7.3.6

The review approach is defined in the Quality Plan. Detailed reviews can include Preliminary and Critical Design Reviews with customer involvement.

High Level Design Quality Plan: Review Process SCOP-P 4001, Review Standards

High Level Design Review Records

BP.4 Manage Architecture Changes Changes to the top-level design are formally controlled through the change control process. Changes to the top-level design are reviewed by stakeholders for their impact on cost, schedule and customer needs. The results of the review are communicated to stakeholders, and records maintained.

Change Request Change Record 4.2.4 7.2.3b) 7.3.7

What has TickITplus done for us?

So where do you want to be?

From Everett Rogers, Diffusion of Innovations, 1962

Modern, pragmatic, detailed process/practice requirements NOT good practice guidance (cf. TickIT) and less bureaucratic than CMMI

TickITplus Foundation level (BPL v1.0 with 22 processes) is equivalent to CMMI Levels 2/3 (resp. 7/11 processes)

Based on international standards - ISO 9001 with ISO 15504 (aka. SPICE) capability maturity dimension to be added

Regular, professional and independently assured assessments by certification bodies - currently BSI, DNV and LRQA in the UK cf. CMMI

Initially external assessment costs are higher (number of processes) BUT combined assessments across ISO 20000 and ISO 27001 will help.

TickITplus lessons/benefits

Some processes were initially challenging and may need improving/redefining/discussing with LRQA

• Configuration/change management Integration management

• Transition/release management Stakeholder requirements

• Lifecycle model management Improvement

LRQA’s recertification visit at end of August 2012

Extension to cover ISO 27001 later in 2012?

Could consider adding additional scope profiles?

Move up to Bronze (OK) and Silver (difficult) when available

Share the good news with the UK IT community via BCS, LRQA, Intellect, with Omniprove and Nexor.

IPL – where next with TickITplus?

Questions?

Dr Graham Gee FBCS CITP TSSFQuality & InfoSec [email protected] 475287

Eveleigh HouseGrove StreetBath BA1 5LR01225 475000


Nexor’s TickITplus Journey

Irene DoveyBusiness Improvement ManagerNexor Ltd

TickITplus and Nexor

connect transform protect

Company Profile

Our Positioning

Confidential

Unclassified

TS

Secret

Restricted

High AssuranceImpact levels 4-6

Specialised requirementsBaseline components

Tailored, accreditable solutions

Medium AssuranceImpact level 3

Specialist COTS productScheme assessment

Standard AssuranceLow impact levels

Commodity COTS productsWide choice

Nexor COTS productsMicrosoft ready

Full professional services package

Nexor CapabilityAcknowledged domain expertise

End-to-end serviceAccreditation ready ‘OTS’ framework

Process maturity

Our Customers and Partners

End Customers

• Bulgarian MOD• Canadian DND• CSEC• European Defence

Agency• French MOD• GCHQ• Government of

Canada• Italian Navy• NATO• Netherlands Navy• Niteworks• Slovak Army• UK MOD

System Integrators

• Cassidian• CSC• Elta-R• Force Vision• Fujitsu• GD• HP• Interactive sbc• Logica• QinetiQ• Scientia• Selex• Steria• Ultra Electronics

Partners

• Accuvant• Ascentor• BAE Systems• Boldon James• FOX-IT• IPL• Microsoft• Red Hat• RJD Technology• Titus Labs• Tresys

Our Maturity

Our TickITplus journey . . .

ISO9001 / TickIT and ISO270001 in place for a number of years

Became interested in CMMI around 2006

Used the CMMI framework to widen and deepen the scope of improvement activities

Came to a point where we felt ready for formal CMMI Scampi appraisal . . .

. . . but just could not justify the cost (money and effort!).

So, how did we get to TickITplus?

Attended a business improvement workshop at Intellect in 2009 and first heard of TickITplus

Liked the sound of what we heard and volunteered to get involved in the Pilot Scheme

Slow start and not a lot happened for a while . . .

Then things started to move with changes to the Committee (JTISC) and we became involved in producing the Base Process Library (BPL).


Liked what we saw of the BPL and internally decided to use it asa tool to undertake a gap analysis

confirming which practices we were doing

and identifying ones which we weren’t!

Where possible, we involved staff relevant to the particular area

From this, we developed an improvement action plan

capturing areas where we could improve

and also where we could do things more simply.

Improvement Action Plan – example . . . Action

NoImprovement

ActivityAction Benefits Owner Date

CreatedBy When

1 Risk Management Framework procedure does not differentiate sufficiently between business and project risks

Procedure to be updated and circulated for review. Comments / suggestions requested by 05/11/2010.

A generic risk management approach across the Business.

IHD 01/11/201 005/11/2010 Reviewed, updated and published on the

Intranet 10.11.2010.

Action complete.

2 Size measurement in estimation

Currently collecting requirements vs actual effort metrics as a starting point.

To improve and validate estimation

AJK 01/11/201 031/01/2011 06.01.2011: Current requirements size

measure is not effective. Further size measures are currently being reviewed.

11.02.2011: Consideration to reviewing GQM for this area - maybe incorporate complexity or number of user stories.

13.04.2011: Ongoing.3 Product Lifecycle

Management Need to clarify our approach to new lifecycles in the PMF.

To aid understanding of approach to Agile development which is new to the business.

AJK 01/11/201 030/11/2010 06.01.2011: PMF updated to include this.

Action complete.

7 Measurement and Analysis needs reviewing

Policy will be updated and consideration will be given to whether a dedicated procedure is required.

Note: M&A is currently incorporated in Developing and Improving Policies and Procedures procedure.

To aid identification of key areas where metrics may prove useful in monitoring and improving performance.

IHD 01/11/201 031/01/2011 06.01.2011: Policy updated.

06.01.2011: AMP will review and update the current Metrics spreadsheet. IHD will review the Developing and Improving Processes and Procedures procedure and make recommendation on what is required.

11.02.2011: AMP to upload revised List of Metrics spreadsheet for comment. IHD to update D&IPP procedure in line with recommendations.

5.04.2011: Metrics re-circulated for comment (to AJK, KJB, IHD)

24 QA, Documentation and Record Control would benefit from an approval matrix for each type of document

Update the procedure Ensure clarity for document approval

DEF 01/11/201 002.12.2010 10.11.2010: Procedure update.

Action complete


Then decided to formally adopt TickITplus

In preparation:• undertook Practitioner training in April 2010• started working on our Process Reference Model (PRM)• liaised with LRQA and sought guidance from Dave Wynn

Stage 1 Foundation-level assessment early December 2010

Stage 2 Foundation-level assessment mid-December 2010

. . . and became the first to become certified to TickITplus.

What have we gained?

Basically, TickITplus has reinvigorated our improvement activities!

BPL offers good practice over and above the Standards it incorporates

Mapping existing practices to BPL is a good way of doing a gap analysis to identify areas for improvement

Provides sound basis if the Process Area is new or is not currently effective

Opportunity to get the people who do the work to complete their Process Area (collaboration)

Demonstrates a commitment to quality to customers.

What have we learned?

External assessments are more rigorous• initially and on an on-going basis• no places to hide!

More time-consuming and does require preparation• initially and on an on-going basis

Because more time is required, there is a cost implication• transition and tri-annual assessments (not surveillance visits).

Now and where to next?

Since initial assessment, three surveillance visits• Momentum keeps going• Getting smarter (BPL becoming leading rather than lagging)

Looking to adopt the next phase of TickITplus which incorporates ISO 20000

• To help in developing our service offering

Plan to progress TickITplus through the capability route.

Nexor Ltd

Any queries or for more information on how we approached TickITplus

Irene DoveyBusiness Improvement ManagerNexor [email protected]: 0115 9520509

mailto:[email protected]


Question and Answer Session


Summary and Close