Adopting TickITplus will make compliance to different management system standards a lot simpler because of the way it is structured, it is designed around integrated management systems. Phil Willoughby, ICT Manager of LRQA discusses TickITplus and how it will make standards implementation easier.

TickITplus was launched in 2011 as the successor to the much loved TickIT sector scheme introduced in 1991 to encourage greater focus on quality within the IT industry, especially software development. The TickIT scheme provided extensive guidance on applying the requirements of ISO 9001 to software development and IT-related activities, using ISO 9000-3 and ISO 90003 as primary reference data for the TickIT Guide.

The scheme also targeted the experience and capability of assessors to ensure that third party audits were carried out effectively by people knowledgeable in the subject matter. An independent body managed the auditor certification process and ensured auditors maintained their competence.

TickIT has brought tangible benefits to the IT sector, with many IT and software suppliers opting to be certified to ISO 9001 through the scheme. However, the IT landscape has changed significantly since the schemes inception (e.g. monolithic systems development has given way to agile methods and the App store model).

The TickIT Guide tried to keep pace with these changes, being republished several times up to the final version 5.5, which references ISO 12207 for software processes and ISO 15504 for CMMI style capability assessment framework.

The IT market has also changed dramatically with many customers choosing to outsource their IT services to gain greater return on their IT investment. While software quality remains critical, we have seen the development of other standards for the IT sector. The ITIL framework has established itself with ISO / IEC 20000-1 for IT service management, and latterly ISO / IEC 27001 for information security has come to the forefront.

As a result, certification has become more complex with organisations not only requiring ISO 9001, but also ISO 27001 and ISO 20000-1. There are others set to impact the IT industry such as energy and environmental management.

The Joint TickIT Industry Steering Committee (JTISC) responsible for TickIT, recognised a need to create a framework that could cope with this changing landscape and address industry concerns that TickIT was no longer a market differentiator. Importantly, it was recognised that a capability maturity dimension was needed to promote increased maturity of processes. TickITplus was conceived.

How does TickITplus work?

The foundation of the TickITplus scheme is the Base Process Library (BPL). The BPL contains a set of 40 different processes that unify the requirements of the IT sector activities and the most common certification standards into a single framework. The BPL has been developed taking input from the following standards:

  • ISO / IEC 12207 on software lifecycle processes;
  • ISO / IEC 15288 on lifecycle management;
  • ISO / IEC 27001 for information security management;
  • ISO 9001 for quality management;
  • ISO / IEC 20000-1 for IT service management.

Each process has a defined purpose, outcomes, base practices, work products and references to the associated standards. These descriptions are not copied from the standards, but reflect their requirements in a business readable form.

By referencing ISO standards requirements rather than copying them, the processes do not need updating every time a new version of a standard is released, but ensures that where compliance to a standard is required, it is referenced. Similarly, a new standard can be mapped onto the model without requiring changes that would affect people already using the BPL.

Of the 40 processes, an organisation has to select the set relevant to their activities. Type A processes have to be implemented irrespective of the business activities. Type B’s are scope dependent, hence if software is being developed, then ‘verification’ and ‘validation’ processes are relevant. The concept of scope profiles has been developed to make the selection process simple and consistent.

In being assessed against the model, you are also assessed against ISO 9001 and other selected standards. So if you require ISO 27001 then you must also implement the security management process.

The core scheme requirements (CSR) fully describe the scheme rules. This includes a requirement for an organisation to map its procedures and processes onto the BPL in a process reference model (PRM), to demonstrate how its integrated management system (IMS) meets the TickITplus requirements. The auditor has to create a process assessment method (PAM) to perform and record the assessment.

The scheme may seem complex, but like its predecessor, auditors require formal training before they can deliver TickITplus assessments. One of the scheme’s strengths has been in recognising that organisations need expertise to use the model effectively, and so uses the same training course for both auditors and practitioners.

In comparing TickIT to TickITplus, the latter can be seen to be far more structured and prescriptive (requirements rather than guidance) that should ‘raise the bar’ to make it a real differentiator again.

Where does ISO / IEC 27001:2013 fit?

Over recent years, and in parallel (but not linked) with the TickITplus development, the International Standards Organisation has recognised a need to ‘standardise’ the structure of management systems standards. In the past these specifications have loosely followed the Deming ‘Plan-Do-Check-Act’ model, but with each incarnation developing its own requirements for activities that should be the same.

Annex SL of ISO / IEC Directives, Part 1, Consolidated ISO Supplement, addresses this problem by defining a common structure and common text for management system standards. Discipline specific text is then inserted in the relevant sections. Significant changes include mandating risk management, forcing stronger requirements on determining the ‘context of the organisation’ as well as step changes to ‘leadership’ and ‘performance evaluation’.

ISO / IEC 27001 is the first standard to fully comply with this structure and, in a recent exercise by JTISC, it was mapped into the TickITplus BPL. The result demonstrated that the TickITplus design can cope with even these significant changes. The latest version of the BPL recently published includes mappings onto both the old and new versions of ISO / IEC 27001.

The TickITplus scheme provides an integrated framework to unify frequently applied IT management system standards, which will make it simpler for organisations to develop their management systems, while streamlining assessment and certification activities against these standards.

TickITplus also introduces the ability to quantify improvement through the use of maturity levels and hence help organisations differentiate themselves and better evaluate their return on investment.

Annex SL will help integration of management systems by forcing a common view of the core management processes. ISO / IEC 27001:2013 has shown that this structure and common requirements are aligned with the TickITplus model, so creating a sustainable scheme for the future that will meet the IT industry’s requirements.

TickITplus was developed with significant contributions from BSI, CSC, DNV, LRQA, Nexor and Omniprove.