ITIL Implementation: Where to Begin


The Information Technology Infrastructure Library (ITIL®) is the most widely recognized best practice framework for IT Service Management. ITIL is a set of five "core guides" that contain the best practices for each phase of the

Service Lifecycle. Those phases are: Service Strategy, Service Design, Service Transition, Service Operation, and Continual Service Improvement. It is a methodology that takes a Service Lifecycle approach to the design, development, transition, operation, and improvement of an IT organization's services and processes.

In addition to providing the best practices around the activities, principles, and methodologies that are carried out in each phase of the Service Lifecycle, the five core guides provide details and insights into the best practices for twenty-six processes that can help ensure that IT is working as efficiently and effectively as possible, while minimizing costs and providing maximum benefit to the business.

The way in which the ITIL processes are implemented is highly dependent upon each individual organization. There are large and small companies, public, private and non-profit organizations, and to complicate it further, there are a significant number of industries in which those different organizations operate and compete. Each company has its own culture and dynamics that also play a part in how that particular company operates, so there is no single best way to institute the ITIL best practices.

This was considered when the best practices were created because they were developed to be non-prescriptive. This means that the ITIL core guides describe all of the best practices, but they don't require that they be instituted or implemented in any particular way, or even that all the best practices be utilized. This gives organizations a great deal of flexibility, and enables them to utilize the best practices as they make the most sense for their particular situation.

This paper will delve into some of the ways to get started and help you make the determination about the process on which they should focus, along with how to gain buy-in, and quickly show the value of ITIL in your organization. It will also provide insight into how to best ensure you are successful.

Why might an organization look to ITIL? Generally it is because of one of the following:

  • IT service issues are affecting business performance,
  • Customer perceptions of IT is poor
  • Agreed Service Levels aren't being met
  • Staff is not as productive as expected
  • There is a need to be more efficient and effective
  • Compliance to regulation and legislation has become a focus      The cost of providing IT services is too high

Pre-Initiative Preparation

There are a couple of common practices that any company embarking on an ITIL journey should carry out, and they are to start with communication and training. Let's take a brief look at each of these.

Communication is critical to a successful ITIL Initiative. Start by communicating the intention to embark on an ITIL Journey via a newsletter. The initial communication should be about the intention to implement and/or improve the IT processes in the organization, outline the reasons why, and outline the expectations. In addition the communication should outline the plan for training throughout the organization.

This newsletter should become a regular communication vehicle that is used throughout the initiative to communicate upcoming tasks and implementations, accomplishments, and benefits being realized from the effort. It should also be used to recognize staff members and teams who have provided significant contributions. However, communications shouldn't be limited to the newsletter. Use the company bulletin boards and online resources to post updates, successes, and recognition.

The other pre-project task to complete is the training communicated to the staff in the newsletter. It extremely important that the IT staff, IT management (including executives), and select business representatives attends ITIL training. The best-case scenario is that all staff attends ITIL Foundation training. This ensures that everyone understands the basic concepts, learns the common terminology, and that no one feels left out. It's a great way to make the staff feel included in the initiative in order to gain buy-in and support. It's important that the core team be the first to attend the Foundation training.

Next, the staff targeted to become process owners and process managers should take the intermediate level courses that teach the concepts around their area(s) of responsibility. Although many people feel they are ready for an ITIL initiative after becoming ITIL Foundation-certified, the concepts learned at that level are just the tip if the iceberg. For the core team of staff that will be responsible for the processes and the project to institute the best practices, advanced knowledge is critical.

To put it in context, during the Foundation-level training, about three hours are spent on each of the five phases of the Service Lifecycle. In the Intermediate level training, each phase is a three-day course. That's eight times the amount of information than is taught at the foundation level. That should give the reader some insight into how much more detail there is to help them ensure a successful initiative.

Finally, and depending on the size of the organization, two to three people should become ITIL Experts. They will be the go-to people in the organization, so make sure that you these people are on the core implementation team.

Defining the Project Scope

Begin by defining a reasonable scope for the project. Attempting to implement or improve too much at one time, and in particular, trying to implement all of the ITIL processes at the same time, will ultimately result in a failed initiative.

Although consultants can, and should, be brought in to assist, the bulk of an implementation or improvement of processes and services is generally undertaken by existing staff, so a realistic scope is critical to success.

The question is, what is the right initial scope? I'm often asked by clients or students, "Where do we start with ITIL?" or "Which process(es) should we implement first?" Those are great questions, but there isn't a simple answer. There are many ways organizations go about deciding where to start with implementing ITIL best practices. Well look at a few ways companies tend to make the decision, with the last being the recommended approach.

"The Big Three"

The first way many companies start isn't the most scientific approach, and this is to simply implement or improve upon the big three:

  1. Incident Management
  2. Request Fulfillment
  3. Change Management

Incident Management and Request Fulfillment

Most companies have a process to handle Incidents that occur in the environment and to respond to requests for assistance from users. However, these processes are not always as efficient or effective as they should be, and they aren't providing the value that is possible if best practices were used.

Incident Management is a process that is used to resolve issues that occur in the IT environment as quickly as possible to minimize the impact on the business. This process is owned and managed by the Service Desk, which is the single point of contact for users from an operational perspective.

The Request Fulfillment Process, also owned by the Service Desk, is meant to deal with requests from users. Requests can range from a question, to a password reset, to installation of standard software, or even for access to a service or set of services.

These two processes are very visible to the customer, which is why so many companies start with them. It is important that the representatives on the Service Desk have both technical and customer relationship skills. A good service desk can significantly improve the business's satisfaction with IT while a poor service desk can make a very good IT organization look bad.

Change Management

The purpose of this process is to manage changes to the IT environment. These modifications can include new services, changes to existing services, the removal or retirement of a service, or the transfer of a service to/from an external service provider. There are many issues that can occur when an organization doesn't have a well thought out Change Management process.

Although most companies have some type of Change process, it's normally more of a change notification process. The service in question has already been designed, developed, tested, and is ready for deployment when a change is opened to request permission to put it into production. This is not Change Management. The correct procedure is to open a Request for Change as soon as a Service or Process is chartered, which means it's been approved from a budget and resource perspective. In this case, the change is opened before any work starts, and it is managed throughout its design, development, testing, and deployment.

Pain Points

Another approach that is fairly straightforward is to focus where you are having the most issues. As an example, there was a company that was overwhelmed with the number of incidents they were encountering. The business was unhappy, and the help desk was overloaded, so their thought was that they should implement an Incident Management process.

However, by observing the activities of the organization, it became apparent after a very brief amount of time that incidents were a side effect of a bigger issue. Changes were being made in the production environment, but there was no evaluation of the modifications prior to implementation, and communication that the changes were going to be made was nonexistent. That resulted in extremely high number of incidents, as well as poorly implemented initiatives that were fraught with problems.

Notice that the symptom of the problem were incidents, so that one would think Incident Management would be the best place to start to resolve the pain. However, the activity of making changes was the root cause of those issues, so implementing the Change Management process was recommended. The point is that why something is happening needs to be evaluated before jumping in and fixing something that may not be an issue.

Process Assessment

The last way to be covered, and the recommended approach, is to perform a formal evaluation called a process assessment. Process assessments can be completed by internal staff or by using a consultant. There are pros and cons to both methods, but the goal is the same, and that is to determine where to focus your efforts.

A process assessment is used to understand both the maturity and capability of your processes, and provides insight into where there are gaps that should be filled. Maturity refers to how a process is being carried out and how closely is it being followed. Capability refers to how well the process is accomplishing its defined outcome. In other words, is it accomplishing its desired goals or objectives?

There are generally three approaches to scoping the assessment. They are: Process Only; People, Process and Technology; and Full Assessment.

  1. Process Only—The scope of a process-only assessment would focus strictly on the maturity and capability of a defined set of the IT processes.
  2. People, Process, and Technology—In this scenario, the process assessment would still be carried out, and along with that, the people, or functions required to carry out the activities of the process would also be assessed for efficiency and effectiveness. Finally, the underlying technology would be assessed to understand if it is able to support the objectives of the process(es).
  3. Full Assessment—The full assessment includes all of the activities of a people, process, and technology assessment, but goes further and would also include an assessment of the vision, mission, goals, and objectives of the organization along with its strategy and culture.

The additional activities in the full assessment would include ensuring the vision mission goals, objectives, and strategy are communicated down through the organization and that processes are defined and carried out such that they will help the organization achieve the desired state. In addition, the governance of processes will be reviewed to ensure that there are controls in place to guide improvement. Finally, the cultural portion of the assessment will give insight into how the organization handles decision making and ensuring the resources have the authority needed.

The results of the assessment can be used to benchmark your processes against industry standards in order to help you understand how well your organization compares with other organizations of the same size, type, and industry. It also gives insight into where there are gaps that if filled can help the organization improve the maturity and capability of their processes.

There are many frameworks and standards against which processes can be assessed. Let's briefly touch on a few:

  • The Capability Maturity Model Integrated (CMMI)—This is a well-known and widely using Maturity model that is used to help an organization understand what process improvement is needed. It has six defined levels of maturity, although as seen below, many diagrams leave out level 0, the level at which there is no evidence of a process. The following diagram briefly describes level one through level five.

ISO 15504—This is a recognized standard for evaluating processes in order to understand the areas of capability that need improvement. This ISO standard defines six (6) levels of process maturity that cover various aspects of process efficiency and effectiveness including:

  • Level 5 – Optimized Process
  • Level 4 – Predictable Process
  • Level 3 – Estavlished Process
  • Level 2 – Managed Process
  • Level 1 – Performed Process
  • Level 0 – Incomplete Process

Within the levels of maturity, the capability of the process is measured using the following process attributes:

  • Process Performance
  • Performance Management
  • Work Product Management
  • 3.1 Process Definition
  • 3.2 Process Deployment
  • 4.1 Process Measurement
  • 4.2 Process Control
  • 5.1 Process Innovation
  • 5.2 Process Optimization

For each of these areas, ISO 15504 also evaluates the level to which each process attribute is achieved using the following scale:

  • Not Achieved (N) 0% to 15%
  • Partially Achieved (P) >15% to 50%
  • Largely Achieved (L) > 50% to 85%      Fully Achieved (F) > 85% to 100%

There are many frameworks, including COBIT and TIPA, which utilize the ISO 15504 model for capability assessments. As you can see, although very similar, ISO 15504 defines each level very similarly but not quite the same as CMMI.

Control Objects for Information and Related Technology (COBIT)

COBIT focuses on the Capability of a process, or whether or not it achieves is defined objective. The model used for COBIT is based upon the ISO 15504 Standard and it also has five levels.

Tudor IT Process Assessment (TIPA)

This model was developed by the Public Research Center Henry Tudor in Luxembourg and combines the ISO 15504 Process assessment model with the ITIL best practices, so it is specifically designed with ITIL in mind. It is quickly becoming the de facto standard for performing an ITIL Process Assessment.

Regardless of the way you decide where to start, or which of the assessment models you decide to use for your assessment, the important thing is starting!

Carrying Out the Assessment

As previously stated, the goal of the assessment is to review and evaluate the maturity and/or operational capability of the organization's processes by focusing on quality of service, availability, efficiency, and compliance as defined by the standard or framework against which you are performing the assessment. The second goal is to determine where there may be processes that should be in place that have yet to be implemented. We'll now look at some common activities that should be undertaken when performing an assessment.

Document Review

It is important to review the organization's process documentation to gain an overall understanding the various aspects of the process. The areas that should be covered in the documentation are as follows:

  • Process roles (owner, manager and practitioners)
  • Process stakeholders
  • What triggers the process
  • Process inputs
  • Activities and their flow
  • Tools and automation
  • Common procedures and models
  • Process outputs
  • Information gathering requirements
  • Process feedback mechanisms including customer survey results
  • Measurements, including both Critical Success Factors (CSFs) and Key Performance Indicators (KPIs)


After reviewing the documentation to gain a complete understanding of the defined process or processes, the assessment team will perform interviews of the key players who are accountable and responsible for the process. The interviews will also include those resources carrying out the activities of the process and stakeholders that either use the process or are the recipients of the process outputs. These interviews can be one-on-one, or in a group setting.

The goal is to understand each stakeholder's perspective and gain insight into their views about how the process or processes work, where they see issues, how they view process compliance, and the benefits they think are being realized from the processes.

One would think that everyone's understanding should line up with the documented process and procedures, but that is not generally the case, and this gives the assessor insight into the areas that need improvement.

Acting on the Assessment

The next step is analyzing the information gathered, and creating the assessment report.

At the most basic level, the assessment report will provide an overview of the scope of the project and the type of assessment performed and the methodology and model used during the assessment. It will then outline the areas that are done well, and the areas where there are gaps, that if filled, can help the organization reach the next level in terms of both its maturity and capability. It also provides details about the new processes that should be implemented, improvements recommended for current processes, and how the governance and culture of the organization might change to better align with its defined vision mission and strategy.

What Defines Success?

Success can mean different things to different stakeholders, so prior to acting upon the recommendations in the assessment report and implementing an improvement or a new process, it is imperative to define exactly what will constitute success.

The goals and objectives should be agreed upon and documented. For each goal and objective, measurable targets should be defined, and measurements should be put in place for each one of the objectives. Monitoring and reporting will provide the answer to whether or not you have reached the targets, and thus, whether or not you have achieved success.

The successes should be celebrated and shared with the organization. The more value that's shown, the easier it will be to get additional funding for further improvement.

Quick Wins

One of the most important outputs of the assessment that should be in the report is "quick wins." A quick win is an improvement that has an immediate benefit, is widely visible to the business, IT, management, and other stakeholders, and can be implemented quickly.

The reason that quick wins are important is that they very rapidly show the benefit of instituting the best practices and they give relevance to the effort. They instill a sense of confidence to both the team and the other stakeholders. They also have the potential of changing the perception of those that have not bought into the initiative. Some additional benefits of quick wins include:

  • They give the implementation team credibility
  • They prove the cost and the effort involved is justified
  • It becomes more difficult for those who have not bought in to block the initiative
  • Success breeds success
  • They provide an opportunity to communicate success

The last item is very important and is worth repeating. Once implemented, quick wins and the benefits realized should be shared with the whole organization. This is a success that should be included in the newsletter.

What's Next?

Monitoring and assessment of an organization's processes to seek out gaps and areas that can be improved should be an ongoing activity. The best scenario is to appoint a Continual Service Improvement Manager who has the responsibility of ensuring that IT is continually aligned with the needs of the business.

Having an ongoing Continual Improvement initiative that focuses on improvement across all aspects of the IT organization will provide the visibility needed to ensure IT remains proactively aligned so that the business can achieve its goals and objectives.

In addition, assessments should be carried out on a scheduled basis. They are not one-time activities. The organization should continually be evaluated to ensure the organization remains focused on improving its maturity and capabilities.


There are many ways that organizations decide on the areas to focus, and how they are going to go about improving their processes. Regardless of the way an organization decides to start is really secondary to the fact is that they are looking at improving the way that IT supports the business.

About the Author

Michael Caruso is the founder and managing principal of ITSM Professional Consulting. With extensive experience in the information technology field, Mr. Caruso's practice offers IT service management, IT governance, and project management instruction and consulting. His background encompasses both technical and leadership roles in application development, infrastructure, service desk, and operations across many industries. Mr. Caruso is certified to teach all ITIL classes, as well as the COBIT Foundations, Cobot Implementation, Cloud Essentials, Virtualization Essentials, and Project Management courses.