ITSM Gap Analysis - Template

(1)

(2)

S# Concerns Compliance

Are there established IT Service Management:

a) policies? no

b) objectives? c) plans?

2 Are all end-to-end IT services identified? Are the IT services defined in terms of:

a) Customers / end users? b) Suppliers/vendors? c) Resources – Hardware d) Resources – Software e) Resources – Documentation f) Resources – People 5

Is the executive responsibility for the co-ordination and management of all services allocated to an individual or post?

6

Does a management forum that includes IT service stakeholders operate to give clear direction and visible management support?

7

Are resources made available to determine and provide planning, implementation, monitoring, reviewing and improvement of service delivery?

8 Are risks to the service management organisation and to the

services identified, considered and managed?

9 Is there a published policy on service improvement?

10 Are roles and responsibilities for service improvement

activities clearly defined?

11 Are service reports considered in making decisions and taking _{corrective actions?} 3

1

(3)

Do current/existing practices define:

a) objectives and requirements to be achieved from

existing processes?

b) interfaces between activities of each IT service? c) dependencies of each IT service?

d) framework of management roles and responsibilities,

including process owners?

e) key roles and responsibilities of each IT service team

member?

f) required budget, facilities and other resources? g) provide an approach to managing, auditing and

continuously improving the quality of services delivered?

h) where appropriate, address the use of third party

suppliers within each IT service?

Do the existing IT service practices clearly identify:

a) which service reports are needed?

b) from where the data for these are derived?

14 Are there procedures and responsibilities for creating and

maintaining relevant documents?

Do the existing IT service practices ensure that documents are:

a) created when required?

b) actively brought to the attention of all parties who

could usefully refer to them?

c) legible and identifiable?

d) readily identifiable and available to all relevant

parties?

e) dated and authorized as appropriate? f) maintained under version control? 13

15 12

(4)

g) reviewed and updated as required?

h) promptly withdrawn when obsolete and either retained

or disposed off as required?

16

Are staff competencies and training needs reviewed and managed such that staff can deliver their responsibilities effectively?

17 For all existing roles and responsibilities are the

competencies defined and maintained?

Are proposals for new or significantly changed services considered in terms of:

a) potential cost? b) organisational impact? c) technical impact? d) commercial impact? e) regulatory impact? f) security concerns?

Are staff and other stakeholders aware of:

a) the importance of meeting objectives and the need for

continual improvement?

b) relevance and importance of their activities to the

delivery of services?

c) how they contribute to the achievement of service

objective?

Are all suggested service improvements:

a) assessed? b) recorded? c) prioritsed? d) authorized?

21 Are customer requirements determined?

22 Are customer requirements met? If yes, what is the evidence?

15

19

20 18

(5)

23 Are current service levels recorded for measuring

improvements at a later date?

24 Do the current operational practices demonstrate any

evidence of continual improvement in service quality? Are service reports produced with clear description of:

a) identity? b) audience? c) purpose?

d) data source details?

e) communicated to all relevant parties?

26 Is there a planned audit programme to audit existing

processes / practices?

Percentage of Compliance 25

(6)

Findings

Compliance Level

(%)

Apex policy needs to be defined

(7)

(8)

(9)

(10)

1 Does a formal/informal Service Level

Management process exist for this service?

2 Is there an identified process owner?

3 Have the aims and objectives of the process been

defined and documented?

4 Have the roles and responsibilities for the

process been clearly defined and allocated?

5

Are there formal agreements, agreed by all parties, for all services that support SLAs and are provided internally within the organisation

(OLAs) ?

6 Is there a service catalogue showing the full

range of IT services available to customers?

7 Have all underpinning support services relevant _{to SLAs/services been identified?}

Is there an agreement on:

a) service level targets?

b) expected service workloads?

9 Is there a procedure for the agreement of

temporary variations to the service?

10 Are the service level targets expressed in terms

of customer’s business?

11

Are OLAs and underpinning contracts regularly reviewed and renegotiated as part of significant change control?

Are the reasons for non-conformance to targets:

a) reported? b) reviewed?

Service Delivery - Service Level Management

12 8

(11)

c) acted upon?

Is there monitoring and reporting of current and trend information on:

a) the service levels achieved? b) the resources used?

c) the cost of the service

14 Are there adequate documentary records to

enable audit of the existing process?

13

Percentage of Compliance 12

(12)

Findings

(%)

(13)

(14)

S# Concerns Compliance 1 Is budgeting and accounting of IT services done for

all IT services?

Is there a clear policy on:

a) budgeting and accounting for all components?

b) apportioning and allocating all indirect costs to relevant services?

c) effective financial control and authorization?

d) establishing the anticipated and actual costs of each delivered service?

3 Is there a process synergy with the organisation’s

financial control section?

4 Is the basis for cost recovery defined and widely

understood?

5 Is IT expenditure budgeted for the future to

enable effective control and decision-making?

6 Are changes to the services costed as part of the

change approval process?

7 Are the main areas of expenditure broken down in

cost units?

8 Are costs monitored and reported against budgets? 9 Are service cost units and expenditure cost types

reviewed at each new costing period, e.g. annually?

Percentage of Compliance

2

(15)

Findings

Compliance Level (%)

Percentage of Compliance

Service Deliver - Financial Management Of IT Services

(16)

S# Concerns Compliance 1 Does a formal/informal Availability Management

process exist for IT services?

2 Is there an identified process owner to ensure

availability of the services?

3 Have the aims and objectives for the availability of the

services been defined and documented?

4 Have the roles and responsibilities for the availability of

the services been clearly defined and allocated?

5

Is there an Availability Plan that reflects the availability requirements of the customer into internal availability targets?

6 Are business plans and risk assessments used as inputs

to establishing availability requirements?

7

Have the availability requirements, including maintainability and serviceability, been considered during system design and major change?

8 Are issues that might affect availability predicted and

prevented?

9

Is availability defined, measured, monitored and delivered in terms of the service required for business process?

Do availability requirements include:

a) End-to-end availability from the user perspective? b) Access rights?

11 Are there any availability records?

Do availability records reflect:

a) The organisation’s relative dependence on the IT

service?

b) Identify the relative reliance of the IT service at

different periods of time?

Service Delivery - Availability Management

12 10

(17)

13 Are availability audits carried out to identify weak and

potentially weak areas and single points of failure?

14 Are availability requirements reviewed periodically to

ensure that requirements are being met?

15 Is historical availability information maintained?

(18)

Findings Compliance Level (%)

(19)

(20)

1 Does a formal/informal IT Service Continuity

Management process exist for IT services?

2 Is there an identified process owner to ensure

availability of the IT services?

3 Have the aims and objectives for continuity of the

services been defined and documented?

4

Have the roles and responsibilities for the continuity of the services been clearly defined and allocated?

5 Is there a DR Plan for the restoration of the

services following a failure or a disaster?

6 Are business plans and risk assessments used as

inputs to establishing continuity requirements?

7

Is management authority for invoking a contingency/DR plan unambiguous and documented?

8

Does the DR Plan cover all administrative and non-IT processes within the service management function?

Does the service continuity process address:

a) the implementation of continuity plans? b) the implementation of standby

arrangements?

c) how risk reduction measures are devised

and implemented?

d) operational management during

contingency situations?

Service Delivery - IT Service Continuity

(21)

e) the maintenance and testing of continuity

plans?

10 Are all data backed up at intervals appropriate to

business?

11 Are data backups stored safely from live data? 12 Are reports produced on test of the continuity

plans?

13 Are test reports reviewed with stakeholders and

acted upon?

9

(22)

Findings Compliance Level (%) Rakesh Gupta Informal Continuity Plans and

processes do exist at individual app level, but such data is not available for review

Business Risk assessment, RTO, RPO are not calculated

(23)

(24)

1 Does a Capacity Management process/activity

exist in the current scenario?

2 Is there a Capacity Plan?

3 Are capacity implications considered during _{system development or modifications?} 4 Are all services assessed for capacity

implications at suitable intervals?

5 Are services assessed for all relevant capacity

factors including non-IT resources?

6 Are there appropriate tools to provide the

data required?

Have methods, procedures, and techniques identified and applied in order to:

a) monitor service capacity? b) tune service performance? c) provide adequate capacity?

Do existing practices address:

a) predicted future business requirements b) time-scales, thresholds and cost of

service upgrades?

c) current capacity and performance

requirements?

d) anticipated capacity and performance

requirements?

e) data and process to enable predictive

analysis?

f) the anticipated effect of new

technologies, techniques and upgrades?

7

8

(25)

(26)

Findings Compliance Level (%)

(27)

(28)

S#

Concerns

Compliance

1 Does a formal/informal Security Management process

exist for IT Services?

4 Have the roles and responsibilities for the process

been clearly defined and allocated?

5 Are the information security aims and objectives

established via risk management considerations? Are the controls of the Information Security Policy published and communicated as appropriate to all system users including:

a) service management personnel? b) customers?

c) suppliers? d) Temporaries? 7

Are customer’s specified requirements taken into account in implementing appropriate security controls?

8

Are arrangements that involve third party access to systems based on formal agreements that define necessary security arrangements?

9 Are there appropriate security controls to manage the

risks associated with access to services and systems?

10

Are security incidents reported in line with incident management procedure as soon as possible after the incident is discovered?

11 Are security controls documented?

12 Is automatic protection in place for business critical

systems (h/w, s/w, documentations, etc)?

Service Delivery - Security Management

(29)

13 Are the types, volumes and impacts of security

incidents and malfunctions monitored and quantified?

(30)

Findings

Compliance

Level

(%)

(31)

(32)

S#

Concerns

Compliance

1 Does a formal/informal Business Relationship

Management process exist for this service?

5

Is the service provider aware of the business needs and major changes such that they can prepare responses to customer need?

6 Are the business needs of the customer documented

(formally/informally)?

8 Are stakeholders of services identified and

documented?

9 Are customer satisfaction measurements that cover

all customers, in place?

10

Do the customer and service provider attend a service review to discuss changes to scope, SLA/contract, business needs at least annually?

11 Are interim meetings held to discuss performance,

achievements and action plan?

12 Are meetings with customers documented? Is there a complaints procedure?

13 Has it been agreed with the customer what

constitutes a formal complaint?

14 Are all customer complaints recorded, investigated, _{acted upon and formally closed?}

Percentage of Compliance

(33)

Findings

Compliance

Level

(%)

(34)

1 Does a formal/informal Supplier Management process exist

for this service?

2 Is there an identified process owner?

3 Have the aims and objectives of the process been defined

and documented?

4 Have the roles and responsibilities for the process been

clearly defined and allocated?

5 Is a named contract manager responsible for each supplier? 6 Are customers aware, if necessary, of when and where

services are supplied by third parties?

7 Is there a policy covering the circumstances when services

can or must be supplied by third party?

8

Is the process scopes, level of service and communication processes provided by the supplier documented

unambiguously and agreed by all parties?

9

Are there agreements with internal and external service providers aligned with the SLAs/business needs of the customer?

10 Is there a process to follow in the event of a contractual

dispute?

11 Is there a change management process to amend the

process, scope, level of service or contract?

12 Are third parties actively encouraged to search for and

implement improvements?

13 Are suppliers notified of change requirements in timely

fashion?

14 Are role and relationships between lead and subcontracted

suppliers clearly documented?

(35)

Findings

(%)

(36)

1 Does a formal/informal Incident Management

process exist for IT services?

4 Are the procedures designed to minimize the impact

of service incidents?

5 Are major incidents defined classified and managed

according to a defined process?

6 Is the method of contacting IT service support well

publicized throughout the organisation?

7 Are all incidents recorded?

8 Are all calls logged?

9 Are all calls routed via a central point of contact?

10

Do the staffs who receive calls have

knowledge/training in the business processes being supported?

11 Does the staff in Incident management process have

access to a knowledge base?

12 Are customers/users kept informed of the progress

of incidents they have reported?

For all service incidents do the procedures define:

a) recording? b) prioritisation? e) classification? g) allocation? h) escalation? i) resolution? 13

(37)

j) formal closure?

14 Are appropriate details of each incident recorded?

15

Does the Incident Management process or a

mechanism exists to monitor the status and progress of all open incidents against service levels regularly?

16

Does the Incident Management process or a mechanism exists to monitor incidents that are reassigned between different specialist support groups closely?

17

Does the Incident Management process confirm with the originator the satisfactory resolution of the incident?

13

(38)

Findings

(%)

(39)

(40)

S#

Concerns

Compliance

1 Does a formal/informal Problem Management process exist?

and documented?

5 Are all known errors identified?

6 Are all identified problems recorded?

7 Does a knowledge base of incident information exists and is

up-to-date?

8

Are all problems classified, cross-referenced and related to relevant, previously logged and resolved incidents,

problems and known errors?

9 Is problem prevention considered a fundamental part of

managing IT services?

10 Are there procedures to identify, minimize or avoid the

impact of service problems?

11

Are all suggested changes and improvements that might remove errors and prevent incidents routed via change management?

12 Are incident records analysed regularly to detect the

increase or reduction of incidents and problems?

13 Are all identified known errors, workarounds and solutions

fed back into a service improvement programme?

14 Are impact and urgency evaluated in respect of the

business needs of the organisation?

Does the problem closure process ensure that:

a) the details of the problem resolution have been

accurately recorded?

15

(41)

b) the cause of the problem has been categorized to

facilitate analysis?

16 Are problem reviews (post mortems) held following the

resolution of a problem?

17

Are regular management reviews held to highlight problems requiring immediate attention, determine and analyse trends and to provide inputs for other processes, such as customer or service desk education?

15

(42)

Findings

Compliance

Level (%)

(43)

(44)

S#

Concerns

Compliance

1 Does a formal/informal Configuration Management

process exist for this service?

2 Is there an identified process owner?

5 Is there an integrated change and configuration

management plan?

7 Is there a well understood policy defining what

constitutes a configuration item?

8 Is the information to be recorded for each item

defined, including relationships and documentation?

9 Does configuration management process/mechanism

cover all elements of the infrastructure?

For configurable components of the service and infrastructure, does configuration management provides mechanisms for:

a) identifying? b) controlling? c) tracking versions?

Does the degree of control meet:

a) business needs? b) risk of failure? c) service criticality?

12 Is information on any configuration item available on

need-to-know basis to customer/supplier/service staff?

13 Is there a defined owner for each configuration item

type at each applicable life cycle stage?

Contol Process - Configuration Management

11 10

(45)

14 Are configurable items (CIs) uniquely identifiable (Item

code)?

15 Are there procedures to prevent unauthorised updating

of configuration records?

16 Can configuration baselines, builds and releases be

easily and accurately identified?

17 Are critical configuration items (CIs) identified? 18 Are logical and physical relationships between CIs

recorded?

19 Are appropriate statuses defined for CIs?

20 Is the inventory actively managed and verified to

ensure its reliability and accuracy?

21 Are master copies of software and documents

controlled in a secure physical or electronic library?

22 Are changes to configuration items traceable and

auditable?

23 Do configuration records include ownership and

identification details?

24 Is there a central data repository (CMDB)? 25 Are regular and accurate reports produced for

management?

26 Is random check on CIs carried out (audits)?

(46)

Findings

Compliance

Level

(%)

(47)

(48)

1 Does a formal/informal Change Management process

exist for this service?

5

Are there formal procedures to ensure that all changes are approved, checked and implemented in a

controlled manner?

6 Are customers aware, if necessary, of when and where

services are supplied by third parties?

7 Are all changes to CIs recorded?

8

Is the implementation of new or changed services, including closure of a service, planned and approved through a change management process?

Does the planning for new/changed service address:

a) all relevant roles and responsibilities? b) changes to existing service management

framework and services?

c) communication to relevant parties?

d) consequential contracts/agreements to align

with new/changed business need?

e) manpower and recruitment requirements? f) skills and training requirements?

g) processes, measures, methods and tools to be

used with new/changed services

h) budgets and timescales? i) service acceptance criteria?

Control Process - Change Management

(49)

j) expected outcomes expressed in measurable

terms?

10 Does change management cover all elements of the

infrastructure?

11 Are changes initiated through a formal procedure

(Request for Change – RFC)

12

Are there appropriate authorisation and

implementation procedures for each category of change?

13 Is there a procedure to assess the impact, urgency and

consequences of each change? Are change requests assessed for:

a) risks, business benefit and impact? b) cost and urgency?

c) impact on availability and service continuity? d) impact on security controls?

e) impact on incident management process (service

desk workload)?

15

Is a change schedule, taking account of all factors, including scheduled implementation dates, published and accessible to all appropriate parties?

16 Is release/implementation plan required for all except

the simple changes?

17 Are back-out plans always produced and checked for

practicality?

18 Is appropriate testing planned and executed, including

formal customer acceptance as appropriate?

19 Are all changes reviewed, results reported to relevant

parties and actions taken after implementation?

20 Is there a formal documented and well understood

emergency change procedure?

9

(50)

21

Are change records analysed regularly to detect

increasing levels of change, frequently recurring types, emerging trends and other relevant information?

22 Are change records audited and verified?

23 Are audit trails retained in accordance with regulatory,

contractual and business requirements?

(51)

Findings

(%)

(52)

(53)

(54)

S#

Concerns

Compliance

1 Does a formal/informal Release Management process exist

for this service?

and documented?

5 Is there an agreed and documented policy stating the

frequency and type of release?

6

Are there appropriate and comprehensive plans on how to roll out a release to each site and user, agreed and signed off by all potentially affected parties?

7 Are there software libraries and related repositories for

managing and controlling software baselines and releases?

8

Do procedures include the access and update of

configuration records and versions of software, hardware and documentation used in the build and release processes?

9 Does the existing process include the manner in which the

release will be backed out or remedied if unsuccessful?

10 Are release packages formally verified for completeness and

accuracy?

Do release plans:

a) record release date and deliverables?

b) record related RFCs, problems and known errors?

c) record related incidents, affected users and services? 12 Does release procedure include the updating of change and

configuration records?

11

(55)

13 Is there an emergency release procedure that interfaces

with emergency change procedure?

14 Are all release built and tested in a controlled acceptance

test environment before release?

15

Are releases and distribution designed so that the integrity of hardware and software is maintained during installation, handling, packaging and delivery?

16 Are release plans communicated to incident management? 17

Are the successes and failures of releases analysed regularly to assess their impact on business, IT operations and support staff resources?

18 Are incidents related to release measured for a period _{following release?}

(56)

Findings

Compliance

Level

(%)

(57)