ITSM Gap Analysis Template

Download as xls, pdf, or txt
Download as xls, pdf, or txt
You are on page 1of 57

Service Continuity

IT Service Management - High Level Conce

S# Concerns Compliance

Are there established IT Service Management:


a)      policies? no
1
b)      objectives?
c)      plans?
2 Are all end-to-end IT services identified?
Are the IT services defined in terms of:
a)      Customers / end users?
b)      Suppliers/vendors?
3 c)      Resources – Hardware
d)      Resources – Software
e)      Resources – Documentation
f)       Resources – People

Is the executive responsibility for the co-ordination and


5
management of all services allocated to an individual or post?

Does a management forum that includes IT service


6 stakeholders operate to give clear direction and visible
management support?

Are resources made available to determine and provide


7 planning, implementation, monitoring, reviewing and
improvement of service delivery?

Are risks to the service management organisation and to the


8
services identified, considered and managed?

9 Is there a published policy on service improvement?

Are roles and responsibilities for service improvement


10
activities clearly defined?
Are service reports considered in making decisions and taking
11
corrective actions?

Do current/existing practices define:

a)      objectives and requirements to be achieved from


existing processes?

b)      interfaces between activities of each IT service?

c)      dependencies of each IT service?

d)      framework of management roles and responsibilities,


12 including process owners?

e)      key roles and responsibilities of each IT service team


member?
f)       required budget, facilities and other resources?

g)      provide an approach to managing, auditing and


continuously improving the quality of services delivered?

h)      where appropriate, address the use of third party


suppliers within each IT service?
Do the existing IT service practices clearly identify:

13 a)      which service reports are needed?

b)      from where the data for these are derived?


Are there procedures and responsibilities for creating and
14
maintaining relevant documents?
Do the existing IT service practices ensure that documents
are:
a)      created when required?

b)      actively brought to the attention of all parties who


could usefully refer to them?

c)      legible and identifiable?


15
15
d)      readily identifiable and available to all relevant
parties?
e)      dated and authorized as appropriate?
f)       maintained under version control?

g)      reviewed and updated as required?

h)      promptly withdrawn when obsolete and either retained


or disposed off as required?

Are staff competencies and training needs reviewed and


16 managed such that staff can deliver their responsibilities
effectively?

For all existing roles and responsibilities are the


17
competencies defined and maintained?

Are proposals for new or significantly changed services


considered in terms of:

a)      potential cost?


b)      organisational impact?
18
c)      technical impact?
d)      commercial impact?
e)      regulatory impact?
f)       security concerns?
Are staff and other stakeholders aware of:

a)      the importance of meeting objectives and the need for


continual improvement?
19
b)      relevance and importance of their activities to the
delivery of services?
c)      how they contribute to the achievement of service
objective?
Are all suggested service improvements:

a)      assessed?

20 b)      recorded?
c)      prioritsed?
20

d)      authorized?

21 Are customer requirements determined?

22 Are customer requirements met? If yes, what is the evidence?

Are current service levels recorded for measuring


23
improvements at a later date?
Do the current operational practices demonstrate any
24
evidence of continual improvement in service quality?
Are service reports produced with clear description of:
a)      identity?
b)      audience?
25
c)      purpose?
d)      data source details?
e)      communicated to all relevant parties?
Is there a planned audit programme to audit existing
26
processes / practices?
t - High Level Concerns

Compliance
Findings Level
(%)

Apex policy needs to be defined


Percentage of Compliance
Service Delivery - Service Level Management

S# Concerns Compliance

Does a formal/informal Service Level


1
Management process exist for this service?

2 Is there an identified process owner?

Have the aims and objectives of the process been


3
defined and documented?

Have the roles and responsibilities for the process


4
been clearly defined and allocated?

Are there formal agreements, agreed by all


parties, for all services that support SLAs and are
5
provided internally within the organisation (OLAs)
?

Is there a service catalogue showing the full


6
range of IT services available to customers?

Have all underpinning support services relevant


7
to SLAs/services been identified?
Is there an agreement on:

8 a)      service level targets?

b)      expected service workloads?


Is there a procedure for the agreement of
9
temporary variations to the service?
Are the service level targets expressed in terms
10
of customer’s business?

Are OLAs and underpinning contracts regularly


11 reviewed and renegotiated as part of significant
change control?

Are the reasons for non-conformance to targets:

12 a)      reported?
12
b)      reviewed?
c)      acted upon?
Is there monitoring and reporting of current and
trend information on:

13 a)      the service levels achieved?


b)      the resources used?
c)      the cost of the service

Are there adequate documentary records to


14
enable audit of the existing process?

Percentage of Compli
e Level Management
Compliance
Findings Level
(%)
Percentage of Compliance
Service Deliver - Financial Management Of IT Services

S# Concerns Compliance
1 Is budgeting and accounting of IT services done for
all IT services?
2 Is there a clear policy on:
a)      budgeting and accounting for all
components?
b)      apportioning and allocating all indirect costs
to relevant services?

c)      effective financial control and authorization?

d)      establishing the anticipated and actual costs


of each delivered service?
3 Is there a process synergy with the organisation’s
financial control section?

4 Is the basis for cost recovery defined and widely


understood?
5 Is IT expenditure budgeted for the future to enable
effective control and decision-making?

6 Are changes to the services costed as part of the


change approval process?

7 Are the main areas of expenditure broken down in


cost units?
8 Are costs monitored and reported against budgets?

9 Are service cost units and expenditure cost types


reviewed at each new costing period, e.g.
annually?

Percentage of Compliance
agement Of IT Services

Compliance
Findings Level (%)

Percentage of Compliance
Service Delivery - Availability Management

S# Concerns Compliance

Does a formal/informal Availability Management process


1
exist for IT services?
Is there an identified process owner to ensure
2
availability of the services?
Have the aims and objectives for the availability of the
3
services been defined and documented?

Have the roles and responsibilities for the availability of


4
the services been clearly defined and allocated?

Is there an Availability Plan that reflects the availability


5 requirements of the customer into internal availability
targets?

Are business plans and risk assessments used as inputs


6
to establishing availability requirements?

Have the availability requirements, including


7 maintainability and serviceability, been considered
during system design and major change?

Are issues that might affect availability predicted and


8
prevented?
Is availability defined, measured, monitored and
9 delivered in terms of the service required for business
process?
Do availability requirements include:

10 a)      End-to-end availability from the user perspective?

b)      Access rights?


11 Are there any availability records?
Do availability records reflect:
a)      The organisation’s relative dependence on the IT
12 service?
12
b)      Identify the relative reliance of the IT service at
different periods of time?

Are availability audits carried out to identify weak and


13
potentially weak areas and single points of failure?

Are availability requirements reviewed periodically to


14
ensure that requirements are being met?
15 Is historical availability information maintained?
Percentag
ability Management

Compliance Level
Findings
(%)
Percentage of Compliance
Service Delivery - IT Service Continuity

S# Concerns Compliance

Does a formal/informal IT Service Continuity


1
Management process exist for IT services?

Is there an identified process owner to ensure


2
availability of the IT services?
Have the aims and objectives for continuity of the
3
services been defined and documented?
Have the roles and responsibilities for the
4 continuity of the services been clearly defined and
allocated?

Is there a DR Plan for the restoration of the


5
services following a failure or a disaster?

Are business plans and risk assessments used as


6
inputs to establishing continuity requirements?

Is management authority for invoking a


7 contingency/DR plan unambiguous and
documented?

Does the DR Plan cover all administrative and non-


8 IT processes within the service management
function?
Does the service continuity process address:

a)      the implementation of continuity plans?

b)      the implementation of standby


arrangements?
9 c)      how risk reduction measures are devised and
implemented?
9

d)      operational management during contingency


situations?
e)      the maintenance and testing of continuity
plans?
Are all data backed up at intervals appropriate to
10
business?

11 Are data backups stored safely from live data?

Are reports produced on test of the continuity


12
plans?
Are test reports reviewed with stakeholders and
13
acted upon?
Percentage of Com
Service Continuity

Compliance
Rakesh
Findings Level
Gupta
(%)

Informal Continuity Plans and


processes do exist at individual app
level, but such data is not available
for review

Business Risk assessment, RTO, RPO


are not calculated
Percentage of Compliance
Service Delivery - Capacity Management

S# Concerns Compliance

Does a Capacity Management process/activity


1
exist in the current scenario?

2 Is there a Capacity Plan?

Are capacity implications considered during


3
system development or modifications?
Are all services assessed for capacity
4
implications at suitable intervals?

Are services assessed for all relevant capacity


5
factors including non-IT resources?

Are there appropriate tools to provide the


6
data required?

Have methods, procedures, and techniques


identified and applied in order to:
7
a)      monitor service capacity?
b)      tune service performance?
c)      provide adequate capacity?
Do existing practices address:

a)      predicted future business requirements

b)      time-scales, thresholds and cost of


service upgrades?
c)      current capacity and performance
8 requirements?
d)      anticipated capacity and performance
requirements?
e)      data and process to enable predictive
analysis?
f)       the anticipated effect of new
technologies, techniques and upgrades?
Percentage of Co
Capacity Management

Compliance
Findings
Level (%)
Percentage of Compliance
Service Delivery - Security Management

S# Concerns Compliance

Does a formal/informal Security Management process


1
exist for IT Services?
2 Is there an identified process owner?
Have the aims and objectives of the process been
3
defined and documented?
Have the roles and responsibilities for the process been
4
clearly defined and allocated?
Are the information security aims and objectives
5
established via risk management considerations?

Are the controls of the Information Security Policy


published and communicated as appropriate to all
system users including:

6 a)      service management personnel?


b)      customers?
c)      suppliers?
d)      Temporaries?

Are customer’s specified requirements taken into


7
account in implementing appropriate security controls?

Are arrangements that involve third party access to


8 systems based on formal agreements that define
necessary security arrangements?

Are there appropriate security controls to manage the


9
risks associated with access to services and systems?

Are security incidents reported in line with incident


10 management procedure as soon as possible after the
incident is discovered?
11 Are security controls documented?
Is automatic protection in place for business critical
12
systems (h/w, s/w, documentations, etc)?

Are the types, volumes and impacts of security


13
incidents and malfunctions monitored and quantified?

Percentage o
urity Management
Compliance
Findings Level
(%)
Percentage of Compliance
Relation Management - Business Relationship Management

S# Concerns Compliance

Does a formal/informal Business Relationship


1
Management process exist for this service?

2 Is there an identified process owner?

Have the aims and objectives of the process been


3
defined and documented?
Have the roles and responsibilities for the process
4
been clearly defined and allocated?

Is the service provider aware of the business needs


5 and major changes such that they can prepare
responses to customer need?

Are the business needs of the customer documented


6
(formally/informally)?
Are stakeholders of services identified and
8
documented?
Are customer satisfaction measurements that cover
9
all customers, in place?
Do the customer and service provider attend a
10 service review to discuss changes to scope,
SLA/contract, business needs at least annually?
Are interim meetings held to discuss performance,
11
achievements and action plan?
12 Are meetings with customers documented?
Is there a complaints procedure?
Has it been agreed with the customer what
13
constitutes a formal complaint?
Are all customer complaints recorded, investigated,
14
acted upon and formally closed?
Percentage o
elationship Management

Compliance
Findings Level
(%)

Percentage of Compliance
Relationship Management - Supplier Management

S# Concerns Compliance

Does a formal/informal Supplier Management process exist


1
for this service?

2 Is there an identified process owner?

Have the aims and objectives of the process been defined


3
and documented?
Have the roles and responsibilities for the process been
4
clearly defined and allocated?

5 Is a named contract manager responsible for each supplier?

Are customers aware, if necessary, of when and where


6
services are supplied by third parties?
Is there a policy covering the circumstances when services
7
can or must be supplied by third party?

Is the process scopes, level of service and communication


8 processes provided by the supplier documented
unambiguously and agreed by all parties?

Are there agreements with internal and external service


9 providers aligned with the SLAs/business needs of the
customer?

Is there a process to follow in the event of a contractual


10
dispute?
Is there a change management process to amend the process,
11
scope, level of service or contract?
Are third parties actively encouraged to search for and
12
implement improvements?
Are suppliers notified of change requirements in timely
13
fashion?
Are role and relationships between lead and subcontracted
14
suppliers clearly documented?
Percentage of Complianc
Management

Compliance
Findings Level
(%)

Percentage of Compliance
Resolution Process - Incident Management

S# Concerns Compliance

Does a formal/informal Incident Management


1
process exist for IT services?
2 Is there an identified process owner?
Have the roles and responsibilities for the process
3
been clearly defined and allocated?
Are the procedures designed to minimize the impact
4
of service incidents?
Are major incidents defined classified and managed
5
according to a defined process?
Is the method of contacting IT service support well
6
publicized throughout the organisation?
7 Are all incidents recorded?

8 Are all calls logged?

9 Are all calls routed via a central point of contact?

Do the staffs who receive calls have


10 knowledge/training in the business processes being
supported?

Does the staff in Incident management process have


11
access to a knowledge base?
Are customers/users kept informed of the progress
12
of incidents they have reported?

For all service incidents do the procedures define:

a)      recording?
b)      prioritisation?
13 e)      classification?
g)      allocation?
h)      escalation?
13

i)        resolution?
j)        formal closure?

14 Are appropriate details of each incident recorded?

Does the Incident Management process or a


15 mechanism exists to monitor the status and progress
of all open incidents against service levels regularly?

Does the Incident Management process or a


mechanism exists to monitor incidents that are
16
reassigned between different specialist support
groups closely?

Does the Incident Management process confirm with


17 the originator the satisfactory resolution of the
incident?
Percentage of Compl
nt Management

Compliance
Findings Level
(%)
Percentage of Compliance
Resolution Process - Problem Management

S# Concerns Compliance

1 Does a formal/informal Problem Management process exist?

2 Is there an identified process owner?


Have the aims and objectives of the process been defined
3
and documented?

Have the roles and responsibilities for the process been


4
clearly defined and allocated?

5 Are all known errors identified?

6 Are all identified problems recorded?

Does a knowledge base of incident information exists and is


7
up-to-date?
Are all problems classified, cross-referenced and related to
8 relevant, previously logged and resolved incidents,
problems and known errors?

Is problem prevention considered a fundamental part of


9
managing IT services?
Are there procedures to identify, minimize or avoid the
10
impact of service problems?

Are all suggested changes and improvements that might


11 remove errors and prevent incidents routed via change
management?

Are incident records analysed regularly to detect the


12
increase or reduction of incidents and problems?

Are all identified known errors, workarounds and solutions


13
fed back into a service improvement programme?

Are impact and urgency evaluated in respect of the business


14
needs of the organisation?
Does the problem closure process ensure that:

15
a)      the details of the problem resolution have been
15 accurately recorded?
b)      the cause of the problem has been categorized to
facilitate analysis?
Are problem reviews (post mortems) held following the
16
resolution of a problem?

Are regular management reviews held to highlight problems


requiring immediate attention, determine and analyse
17
trends and to provide inputs for other processes, such as
customer or service desk education?

Percentage
m Management

Compliance
Findings
Level (%)
Percentage of Compliance
Contol Process - Configuration Management

S# Concerns Compliance

Does a formal/informal Configuration Management


1
process exist for this service?

2 Is there an identified process owner?

Have the aims and objectives of the process been


3
defined and documented?
Have the roles and responsibilities for the process been
4
clearly defined and allocated?
Is there an integrated change and configuration
5
management plan?
Is there a well understood policy defining what
7
constitutes a configuration item?
Is the information to be recorded for each item defined,
8
including relationships and documentation?
Does configuration management process/mechanism
9
cover all elements of the infrastructure?
For configurable components of the service and
infrastructure, does configuration management provides
mechanisms for:
10
a)      identifying?
b)      controlling?
c)      tracking versions?
Does the degree of control meet:

11 a)      business needs?


b)      risk of failure?
c)      service criticality?

Is information on any configuration item available on


12
need-to-know basis to customer/supplier/service staff?
Is there a defined owner for each configuration item
13
type at each applicable life cycle stage?
Are configurable items (CIs) uniquely identifiable (Item
14
code)?
Are there procedures to prevent unauthorised updating
15
of configuration records?

Can configuration baselines, builds and releases be


16
easily and accurately identified?

17 Are critical configuration items (CIs) identified?


Are logical and physical relationships between CIs
18
recorded?
19 Are appropriate statuses defined for CIs?
Is the inventory actively managed and verified to ensure
20
its reliability and accuracy?
Are master copies of software and documents controlled
21
in a secure physical or electronic library?
Are changes to configuration items traceable and
22
auditable?
Do configuration records include ownership and
23
identification details?

24 Is there a central data repository (CMDB)?

Are regular and accurate reports produced for


25
management?
26 Is random check on CIs carried out (audits)?
Percentage
uration Management

Compliance
Findings Level
(%)
Percentage of Compliance
Control Process - Change Management

S# Concerns Compliance

Does a formal/informal Change Management process


1
exist for this service?

2 Is there an identified process owner?

Have the aims and objectives of the process been


3
defined and documented?

Have the roles and responsibilities for the process been


4
clearly defined and allocated?

Are there formal procedures to ensure that all changes


5 are approved, checked and implemented in a
controlled manner?

Are customers aware, if necessary, of when and where


6
services are supplied by third parties?
7 Are all changes to CIs recorded?
Is the implementation of new or changed services,
8 including closure of a service, planned and approved
through a change management process?

Does the planning for new/changed service address:

a)      all relevant roles and responsibilities?


b)      changes to existing service management
framework and services?
c)      communication to relevant parties?
d)      consequential contracts/agreements to align
with new/changed business need?
9
e)      manpower and recruitment requirements?
f)       skills and training requirements?
g)      processes, measures, methods and tools to be
used with new/changed services
h)      budgets and timescales?
i)        service acceptance criteria?
j)        expected outcomes expressed in measurable
terms?
Does change management cover all elements of the
10
infrastructure?
Are changes initiated through a formal procedure
11
(Request for Change – RFC)
Are there appropriate authorisation and
12 implementation procedures for each category of
change?

Is there a procedure to assess the impact, urgency and


13
consequences of each change?
Are change requests assessed for:
a)      risks, business benefit and impact?
b)      cost and urgency?

14 c)      impact on availability and service continuity?

d)      impact on security controls?


e)      impact on incident management process (service
desk workload)?
Is a change schedule, taking account of all factors,
15 including scheduled implementation dates, published
and accessible to all appropriate parties?

Is release/implementation plan required for all except


16
the simple changes?
Are back-out plans always produced and checked for
17
practicality?

Is appropriate testing planned and executed, including


18
formal customer acceptance as appropriate?

Are all changes reviewed, results reported to relevant


19
parties and actions taken after implementation?

Is there a formal documented and well understood


20
emergency change procedure?
Are change records analysed regularly to detect
21 increasing levels of change, frequently recurring types,
emerging trends and other relevant information?

22 Are change records audited and verified?


Are audit trails retained in accordance with regulatory,
23
contractual and business requirements?
Percenta
ge Management

Compliance
Findings Level
(%)
Percentage of Compliance
Release Process - Release Management

S# Concerns Compliance

Does a formal/informal Release Management process exist


1
for this service?

2 Is there an identified process owner?


Have the aims and objectives of the process been defined
3
and documented?
Have the roles and responsibilities for the process been
4
clearly defined and allocated?
Is there an agreed and documented policy stating the
5
frequency and type of release?

Are there appropriate and comprehensive plans on how to


6 roll out a release to each site and user, agreed and signed
off by all potentially affected parties?

Are there software libraries and related repositories for


7
managing and controlling software baselines and releases?

Do procedures include the access and update of


8 configuration records and versions of software, hardware
and documentation used in the build and release processes?

Does the existing process include the manner in which the


9
release will be backed out or remedied if unsuccessful?

Are release packages formally verified for completeness and


10
accuracy?
Do release plans:
a)      record release date and deliverables?
11 b)      record related RFCs, problems and known errors?

c)      record related incidents, affected users and services?


Does release procedure include the updating of change and
12
configuration records?
Is there an emergency release procedure that interfaces
13
with emergency change procedure?
Are all release built and tested in a controlled acceptance
14
test environment before release?
Are releases and distribution designed so that the integrity
15 of hardware and software is maintained during installation,
handling, packaging and delivery?

16 Are release plans communicated to incident management?

Are the successes and failures of releases analysed regularly


17 to assess their impact on business, IT operations and support
staff resources?

Are incidents related to release measured for a period


18
following release?
Percen
e Management

Compliance
Findings Level
(%)
Percentage of Compliance

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy