There is a quote attributed to Napoleon Bonaparte that goes something like “A soldier will fight long and hard for a bit of coloured ribbon.” Medals to you and me! Our itSMF UK face-to-face session in Manchester in June set out to prove just how true that statement is. For soldiers, read employees of our speakers’ organisations and the coloured ribbons in this case were CMMI, SDI, ITIL, ISO 27001 and Cyber Essentials assessments and accreditations.
Nicci Postlethwaite from BT Business Managed Services (our hosts) was our first speaker. Nicci regaled us with the story of their journey to achieve three separate accreditations. First was a CMMI for Services accreditation, followed by a 3-star award for SDI’s Service Desk Certification (SDC). Lastly, BT recently became the first organisation globally to complete a fully certifiedITSM Maturity Assessment based on the ITIL Maturity Model. The assessment was conducted by itSMF UK in their role as an Axelos Consulting Partner.
Nicci started by outlining some of the primary business benefits of aligning to industry standards, namely building credibility and trust, ensuring compliance, mitigating risks, increasing compatibility and providing key market differentiators. Giving us her more personalised perspective, Nicci explained that she felt the hidden and somewhat greater business benefits are achieved by using the standards to inform internal quality frameworks, enabling benchmarking (both internally and externally) and identifying opportunities to improve customer experience and organisational maturity. By using the various ISO, SDI and CMMI frameworks it has enabled her area of BT to thrive and drive a culture of standardisation, maturity and continual improvement.
Nicci then provided a brief overview of how BT Business Managed Services started on the journey using CMMI for Service to provide them with a solid foundation of standardisation in core business processes and ITIL practices. She then followed by talking about the SDI assessment experience along with how they navigated the uncharted waters of being the first organisation to undergo a fully certified ITSM Maturity Assessment.
Nicci said that BT highlighted (during the assessments) the importance of using collaboration tools and digital technology, taking things step by step and engaging stakeholders at every stage.
Reflecting on the journey thus far, Nicci summarised that “the more you look to align with industry standards and frameworks, the easier it becomes when you use an iterative approach hand in hand with a culture of improvement.” Using the standards to drive upwards of 650 improvements, Nicci stressed the importance of “embracing the journey as that’s where the value lies.” The whole BT team are looking forward to seeing where the road leads in the future, but for now they are on a path with clear sight of the next improvement goals.
Are standards worthwhile?
Second to speak was Richard Horton from the National Institute of Health Research’s Clinical Research Network Coordinating Centre (NIHR CRNCC for short!) Richard focused on their journey to achieving the ISO27001 and Cyber Essentials security standards. Despite the importance of this topic, it isn’t always easy to achieve engagement within the organisation. Richard started by taking us through the imaginative and diverse set of blogs that he has used to enthuse his stakeholders. His ability to draw parallels through everyday topics and pertinent cyber concepts was fascinating.
Richard then posed a simple question: are standards worthwhile? “For us at CRNCC, implementing ISO27001 and holding ourselves to account through external assessment has had a significant impact on how secure we are. The plumbline of an external assessor makes a real difference. And, while achieving it involves more work, apart from the external audit itself, I see it as no more than what we should be doing anyway. So, yes, very much worthwhile.”
Richard went further adding, “The more interesting angle from my perspective is that our ISO27001 journey has helped us to uncover the power of education. In particular, we talk about information security matters from different perspectives, usually employing stories that have nothing to do with work – for example, how road signs and car MOTs help us to complete journeys and stay safe. These analogies help people to think about the underlying issues rather than just ticking a compliance box.”
For more information on this approach, check out Richard’s blog on the itSMF UK website: The Inside Story of a popular security management blog – itSMF UK.
His one critical piece of advice is that it’s a people thing. “Yes, you need your patching regime to work. But, so much of how secure you are depends on the effectiveness of your education. That starts from the top with senior management promoting and prioritising good practice, and seeps through to your staff. When situations crop up staff are then equipped to make appropriate day to day decisions.”
Own the process!
After a sandwich lunch kindly provided by BT it was the turn of Barry Corless from CGI to analyse the whole assessment process from the point of view of the auditor. Barry has delivered many SDC audits for SDI in addition to ITIL audits over the past 20 years. His own organisation has held SDI’s 5-star World Class Service Desk accreditation for 11 years. Those exploits and experiences were central to his key messages.
Covering activity in advance of the audit, Barry emphasised the importance of ownership of the process. “It is not an ‘end of desk’ activity. It must be allocated ringfenced time if you are to get the value you expect from the whole process and give yourself the chance of a result that is a true reflection of your position.”
During the audit itself, it cannot be forgotten that some evidence can be difficult to find or articulate. Barry suggested that “the observation sessions that typically accompany an audit should be used to try to fill any gaps in persuading your auditor that you do indeed comply with the standard.”
And at the end of the assessment? With a positive outcome you should celebrate success. Audits and assessments are group efforts. Barry added that, in his experience, “auditees often find they are better than you thought they might be. Tell the story of your success but don’t forget to add context for external messaging to other parts of your organisation. For example, if a compliance audit opens up new markets or opportunities then don’t be afraid to ‘blow your own trumpet’.”
Barry suggested (tongue in cheek) that his key piece of advice was to ply your auditor with coffee and cake. More seriously, he added, “Don’t be tempted to embellish the truth. In evidenced audits, you will be asked to prove it at some stage. Even in non-evidenced audits you are just cheating yourself.”
What really struck home during the day was that, despite the variety of organisations, standards and rationales for doing assessments and chasing the ribbons, so much of the key advice was common to all three speakers. The passion that all three had for the journey were backed up by positive business outcomes. The soldiers at their organisations fought long, hard, and successfully for their bit of coloured ribbon and they’re not giving them up in a hurry!