Truly Benefiting From Standards

By George Spafford

(Back to article)

There are a number of IT standards that aim to assist organizations in the implementation of best practices in the field of IT. For instance, ISO 17799, ITIL and COBIT are well thought out and can help organizations improve — not only in terms of compliance but also in terms of real operational benefits. However, regardless of the standard selected, organizations must actually embrace the spirit of the standards to gain these real benefits.


In the past, many organizations worked on obtaining certification against a standard for marketing purposes or as a means to pass some contractual or regulator requirement as opposed to truly embracing the standard and the requisite continuous improvement.

For example, some organizations went after ISO 9000 certification in order to simply say they were certified. The main goal wasn't to improve, but simply to be certified and be able to put that on their marketing communications. This skewed outlook caused these groups to miss tremendous opportunities to truly improve their organizations. In a similar fashion, organizations that truly want to improve their IT organizations must truly embrace the spirit of the various standards they choose to implement.

Select the Right Standard

First and foremost, organizations must select the standard(s) that best suits their needs. For example, ISO 17799 addresses IT security. ITIL addresses IT operations from a service management perspective and provides a wealth of best practices. COBIT is the most all-encompassing IT governance standard and touches on all areas. All three have positive benefits and there are elements to learn from all three. However, if your focus is solely IT security, you may want to focus on ISO 17799.

Likewise, if you want to address operations and service level issues, start with ITIL. Organizations must take the time to research what best fits their requirements both in the short and long terms.

Factors to Consider

There must be forces at work driving you to investigate the IT standards. These pressures and their subsequent requirements will vary from organization to organization. Take the time to list down these factors and assign weights based on need. The result will be a checklist you can use to formally compare the various standards. For example, some of the factors you may want to consider are:

Continuous Improvement

When you are assembling your plans, think in terms of continuous improvement versus a one-time event. The old saying that, "the only constant is change," is as true as ever. Moreover, best practices typically evolve over time as people learn. As a result, the improvement process must, by definition, be a constant process as well. Standards give a framework to follow but often do not explain every detail. It is up to the implementing organization to take each standard's tenets to heart, apply it to their environment and continuously improve.


Rather than adopt standard IT governance methodologies for the sake of marketing or solely to meet regulatory or contractual requirements, organizations need to adopt the spirit of the standards. Only by doing so will they truly accrue the benefits associated with the standards. The value does not end with the initial implementation of the standard and continuous improvement practices must be adopted to continue the attainment of benefits. Without a doubt, standards are beneficial and provide guidance to organizations, but it is up to each organization to truly reap the rewards.