The TickITplus scheme is a significant enhancement of the TickIT scheme which has been running successfully since the early 90’s. In 1987 the new ISO 9001 standard was released, based on BS 5750, and while it was aimed at all industry sectors it clearly had a manufacturing focus. The IT industry was growing in momentum and there were some concerns over the quality of the new software systems that were being delivered. The UK Department of Trade and Industry (DTI), in particularly, started to focus on these concerns and setup an initiative to look into standards to promote the development of better, more reliable software systems. ISO 9001 was initially reviewed for its applicability in software production but concluding that there were a number of improvements needed to address the specifics of software development. This resulted in the formation of a BSI Committee which today is known as the Joint TickIT Industry Steering Committee (JTISC) and eventual creation of the TickIT scheme.
To recognise the international intend of the TickITplus scheme, JTISC has now become the International TickITplus Association (ITA).
The TickIT scheme strengthened the generic ISO 9001 standard and associated certification process through:
an infrastructure to support the scheme;
a clear scope of applicability;
an accreditation process for certification bodies;
a certification process for organisations;
a TickIT auditor registration and renewal process;
the TickIT Guide.
The TickIT scheme has served the IT sector well since its introduction, but the IT sector has changed significantly over the years and now the scheme is beginning to look dated. Information technology, particularly the reliance on it, has dramatically changed since the original TickIT scheme was established and other facets of IT are now emerging as key elements of running sophisticated, highly-integrated modern IT systems on which we all depend. Here functions such as security, service management, etc., are becoming much more significant and with less dependency on the development of bespoke software products. Organisations have also matured noticeably over the last 20 years and are now seeking to obtain more value from the certification scheme. There is clearly a movement from purely complying with standards to gain certification to implementing improvements to achieve better business performance. As the chairman of the TickITplus committee, Peter Lawrence, suggests, “organisations are moving from conformance to performance”.
In 2007 JTISC recognised these changes and initiated a review with industry which resulted in the creation of the TickITplus scheme. The scheme has now been live since the early part of 2012 and is gaining momentum with organisations starting to see the real business benefits that it offers.
The following sections identify 10 potential key benefits from using the TickITplus scheme.
TickIT has been effective in driving improvements in the software industry ever since its launch back in the early 90’s. The Scheme was established in response to customer concerns over the quality of delivered software products, which were becoming much more prevalent and critical to organisations. Amongst the 6 components, the TickIT scheme included two main elements, the TickIT Guide with details of current best practice for software engineering and a framework for establishing a pool of formally qualified and registered IT (or TickIT) auditors.
The TickIT Guide provided excellent Information on creating, using and auditing a management system, based on ISO 9001, to deliver better software systems. The auditors had to formally demonstrate competency in the software development, test and support in order to be registered as a TickIT auditor. They were then required to undertake continuous professional development in order to show up-to-date awareness and understanding of the rapidly changing software engineering sector.
The benefits of this were that TickIT auditors could not only audit a software development management system, but fully understand the techniques, tools and implementation difficulties experienced by organisations. This consequently led to more appropriate findings and better improvement opportunities.
While the TickIT Guide has now been replaced under the TickITplus scheme with better process model documentation, the requirement still exists, and has been improved, for TickITplus assessors to formally demonstrate their competency to be initially registered and to retain their registration every three years through a formal CPD reviewed mechanism.
In many cases your friendly familiar TickIT auditor will continue to support your TickITplus programme.
Provides ISO 9001 certification in the IT sector
Many people think that TickIT certification, and the new TickITplus certification, is somehow separate from ISO 9001 certification. This is not the case. TickIT and TickITplus provide ISO 9001 certification as a minimum. In fact it is not possible to achieve TickITplus certification without including ISO 9001.
ISO 9001 is a very good internationally recognised standard for implementing and auditing a basic management system across a very wide spectrum of organisations and sectors. As such the terminology used is, by necessity, kept very general. However, many sectors such as aerospace, food, services, petrochemical, oil and gas, etc., use quite specific terminology or have additional requirements that are unique to their industry. This is especially so in the IT sector. The TickIT scheme introduced back in the early 90’s recognised this and introduced the TickIT Guide which provided a very good interpretation of the ISO 9001 requirements for the software development sector. By way of an example of this, the software development industry commonly refers to ‘configuration management’ as a way of controlling development components, but ‘configuration management’ is not a term seen in the ISO 9001 standard. ISO 9001 does cover configuration management through a number of clauses, in particular, clauses 4.2.3 (Control of documents) and 7.5.3 (Identification and traceability).
TickITplus not only continues with this philosophy, but through the Base Process Library extends it into a process based approach covering today’s far-wider IT sector.
If ISO 9001 is an organisational requirement and your organisation operates in the IT sector, then TickITplus will provide you with the most effective and beneficial route to achieving it along with many other benefits.
Provides a true process based model
While ISO 9001 requires organisations to implement defined management system processes, it does not express the requirements in a process focussed manner. The standard is still predominantly based on a set of defined requirements (or clauses). For business processes to be effective, they need to address more than one of these clauses, but which clauses go to make which processes is not clearly defined, although probably intuitively recognised by quality professionals.
The ISO 9001:2000 standard put significant emphasis on the need for and benefits gained by adopting a process based model, but many organisations simply renamed their existing procedures as processes without really embracing a truly process-based principle. It is not uncommon to hear of organisations having anywhere up to 500 processes. No organisation, no matter how complex, has that number of business processes. In many cases, most, organisations will only really have anywhere between 10 and 20 key business processes, but these are obviously supported by many more procedures, work instructions, forms, templates, etc.
The TickIT Guide encouraged the use of ISO/IEC 12207, (Systems and software engineering - Software life cycle processes). However, due to TickIT being purely guidance, there was no mandatory need to use it and consequently management systems rarely fully adopt it. In the TickITplus scheme, the adoption and use of a fully process based management system is fundamental to the scheme’s aim to effectively deliver the business and drive business improvement.
Characterising operational and support activities in terms of the key processes provides many benefits. In particular, this approach provides better visibility and communication of the key activities inherent in delivering successful products and services. Having a top down view from processes, to procedures, and perhaps work instructions, etc., ensures that lower level components are in place that fully align to overall processes and contribute to the business goals. According to ISO 9001, processes need to be defined, but not necessarily documented. Here, the definition of a process can include, in addition to the documented procedures, the implementation of formal training and qualification, where the formalisation of a process is in the training syllabus and material, through workflow systems and tools, where the implementation of the process is actually built into the operational aspect of the tools being used.
By implementing operations and support activities through well-defined processes, the actual number of documented procedures may be reduced significantly and this, in turn can, reduce the costs involved in maintenance and deployment. It may also identify where formally documented procedures are necessary, but absent.
TickITplus provides a comprehensive set of 40 IT related processes within the Base Process Library. This library of processes contains sufficient information to provide organisations with a framework for implementing a process based management system, while providing full reference back to ISO 9001 and other applicable standards.
Covers multiple IT related standards
When TickIT was released back in the early 90’s, ISO 9001 was the only Management System standard available. The target sector for TickIT was organisations involved in the classic software engineering activities, consequently the scheme encouraged users to adopt practices that were aligned with ISO 9001. Over the last 20 years, the IT sector has become much more diverse as the reliance on software systems grew rapidly. One noticeable change has been in the move away from bespoke software development in favour of more configuration-based services, e.g. SAP. One of the consequences of this has been a significant growth in the IT service sector, which has been accelerated by the introduction of the internet and cloud based computing.
TickIT bravely took up the challenge in supporting this new world, but struggled to compete with emerging models and standards such as ITIL and ISO 20000-1. Additionally, as the world became interconnected and the internet and the Cloud continued to grow, the inevitable questions over security also began surfacing. A Further IT related standard emerged to address these issues in the form of ISO/IEC 27001. If these standards had been integrated and released together, any new management system would have typically developed to cover all the specified requirements. However, this was not the case and what has been seen for a number of years, are independent management systems being setup to address the requirements for each standard. Clearly there are elements of these standards which are very different from each other, but there are also large portions that are very common, particularly the management elements such as corrective action, preventative action, internal audits, management reviews, etc. Even at the more detailed level there are similarities that many organisations could be addressed by a single approach (or process).
It is more costly to maintain, deploy and improve multiple systems than it is to manage a single unified management system. For example, the costs involved in developing, deploying, operating and improving will be much higher than if there is a single system. While there has been plenty of encouragement and guidance on management system integration, e.g. PAS99, this has not been aimed specifically at the IT sector. Of course, the cost of external audit and certification to multiple standards using multiple systems will almost certainly be much higher than would be the case with a single approach.
One of the design aims of TickITplus was therefore to promote the implementation of integrated Management Systems. This has been achieved through the construction of the Base Process Library (BPL). Every process in the BPL consists of a number, typically between 3 and 10 base practices that articulate the activities that should be performed in order to achieve the desired outcomes from the process. Each one of these process base practices may reference one or more of the clauses of the included standards, currently ISO 9001 as the core standard, and ISO/IEC 20000-1 and ISO/IEC 27001 as supplementary standards. This provides an easy view of the relationship between the standards and the BPL processes being implemented by the organisation.
So, where organisations have need to comply with multiple IT related standards, the benefits gained by using TickITplus will be seen through a more integrated management system requiring less costs to certify, maintain, deploy, operate and improve.
Enables organisational improvement using capabilities levels
While ISO 9001 and TickIT provided a minimum basis for implementing and auditing management systems, many organisations have continued to improve their management system to such an extent that they are far more capable than the minimum required by the standards. In other cases organisations are operating as required to comply with the standards, but clearly have business goals or needs to improve their operational and support activities. The improvements being sought are not just based on tinkering with the procedures, work instructions, templates etc., but in fundamentally improving the performance of their business. This involves a step change in process capability.
There are a number of capability models already in wide use throughout the world and one of the design aims for TickITplus was not to compete with these models. However, from the organisational feedback received during the early research stage of TickITplus there was clearly a demand to move from a purely compliance based model to one aimed at capability improvement. JTISC was keen to build on existing best practice, and eventually focused on using a well-established standard for implementing, assessing and determining process capabilities. This standard is ISO/IEC 15504, which has been in use for many years and provides a comprehensive framework for capability determination.
ISO/IEC 15504 part 2 provides a model for defining process capabilities through 5 levels while providing a standard approach for assessing organisational process capabilities in a structured, consistent manner. Many studies, articles and presentations have been published that demonstrate the virtues and benefits of improving processes through a well-defined process capability model. The general principle of these capability models, including ISO/IEC 15504, is driven by a series of defined capability levels, each one building on the last to improve the outcomes of processes, while reducing the risk of the processes failing.
In essence the benefits of moving up the capability levels can be summarised as follows1.
At level 1 the processes are informal and simply undertaken. This is something that is required by all existing standards and, to be honest, is absolutely necessary for any organisation to exist. Checking that processes are being undertaken is usually achieved through two mechanisms:
the delivery of product and services and
audit for those organisations who have adopted any of the various standards, such as ISO 9001.
This is assumed the starting point, but the risks to the organisation here are high, most notably, cost and schedule overrun, late discovery of major problems and emergency “red-team” recovery actions. A good anecdotal description of organisations operating predominantly at this level is that “software doesn’t get released, it escapes”.
At level 2 the processes are not just performed but are actively managed. Management of a process effectively means that its objectives are established. Work is planned, monitored and adjusted when necessary, resources are provided according to demand, roles and responsibilities are defined and stakeholders in the process are identified and actively involved. Additionally, associated work products are defined, managed and controlled. The benefits here are gained through better control of processes, more visibility of what they are required to do and by whom. As a result, there is less risk processes failing to achieve their desired outcomes. Many organisations intuitively see the need to operate at this level even if they don’t realise they are doing so.
While operating and maintaining processes at level 2 would clearly be beneficial, further process improvements can be achieved by moving up to level 3. The main characteristic of level 3 is that the organisation has considered the individually managed processes being operated (through various means including, review, audit, measures, etc.) and has identified the specific ones that work particularly well. These specific process implementations are then adopted as a standard set for use across the organisation. The benefits here are numerous and include:
better confidence in the use of more reliable approaches, rather than being dependent on individuals to implement a managed process;
earlier discovery of process deficiencies as the standard process are more widely and repeatedly used;
more effective and widespread improvement as any enhancements in standard processes will benefit a greater user base;
more flexibility in staff deployment through more consistent use of the standard processes; and
improved process measures that can be used to provide greater visibility of process performance.
The logical next step for level 4 is to make use of the standard process measures to better understand the processes in terms of their average performance and inherent variability. Since standard processes are being used across the organisation at level-3, a baseline of measurement should be available to facilitate improvement. From these standard measures, statistical models can be developed based on historical trends. These models can then be used to track variation in the process and, by doing so, allow identification of performance that is deviating from the established norm at a much earlier stage than would be possible at level 3. The benefits here are centred on better accuracy and repeatability of capability and reduced risk of process failure.
Once these models have been established and are in use, the associated statistical data will provide a sound basis to improve the process performance through reduced variance and better overall use. With better average performance and reduced variance in use, predictability increases and risk reduces, both of which can mean less dependence on a contingency budget.
Provides a practical route to other capability models
As mentioned previously, other capability models that have been around for many years are now internationally recognised. These include the CMMI® model from the CMMI Institute, the Automotive SPICE and SPICE 4 SPACE models. These models are well-established and it is not intended that TickITplus would compete with these models. However, none of these models offer certification to ISO 9001, or the other standards incorporated into the TickITplus scheme.
TickITplus was designed as a significant improvement to TickIT, but with the links to ISO 9001 as the core certification standard. Many organisations are also looking at these other capability based models as they often have needs to maintain certification in ISO 9001 while satisfying contractual requirements and market expectations for these other models.
Given such a scenario, TickITplus can be extremely useful in supporting an organisation that has never been exposed to a capability model, to move to any of these other models in an evolutionary approach. As the TickITplus scheme incorporates the mandatory certification requirement for routine surveillance visits, there are potential benefits in evolving the TickITplus based management system over time towards the requirements of these other models while supporting the ongoing ISO 9001 improvement programme. The resulting benefits here could be in the implementation of a management system that easily satisfies ISO 9001 requirements, but also addresses all the requirements of these other models.
TickITplus offers a unique method to integrate capability assessments with the certification standard such as ISO 9001, ISO/IEC 200001, ISO/IEC 27001 and potentially others in the future.
Encourages organisational participation in assessments
It is not uncommon to hear that internal quality staff are much harsher on their own organisation that the external third party auditor. Often this is indicative of their much greater awareness of the day to day activities and operational weaknesses within the organisation. While good auditors need to be wary of information volunteered by internal staff, particularly negative information, it is still useful for identifying potential audit trails. However, this feature of auditing is not fully defined, nor built into the actual audit approach.
The TickITplus scheme actively encourages organisational practitioners to participate in an assessment team as a full team member. The scheme rules ensure that these practitioners have no significant conflicts of interest, are appropriate trained and have no deciding influence on the assessment results. Nevertheless, the potential benefit of having internal practitioners on the assessment team is significant.
One of the new features of the TickITplus assessment approach is the use of a team consensus review of all findings in order to come to a collective decision on the reported results, whether good or bad. Notwithstanding the potential benefits that can be gained from the internal practitioner being on the assessment team throughout the assessment, their involvement in the consensus review is invaluable. This review is held at the end of the assessment and is where all the assessment evidence and information is reviewed to establish the final result in terms of the achieved capability level, along with associated good points, observations, improvements and nonconformities. With the specific knowledge and guidance provided by the practitioner the resulting findings can be much more focused to the business needs, while still maintaining the desired independent certification requirements. While all findings are valid and should be raised, emphasis can be placed on key issues and areas for attention and specific relevant organisational terminology can be used to good effect.
Offers better consistency in the assessment approach
One of the common statements heard about the audit process is that there can be some inconsistency in approach between certification bodies conducting ISO audits and between auditors working for the same certification body. This is no real surprise given the nature of these schemes, which are typically based around individual auditors who very often conduct audits on their own. While certification bodies go to great lengths to reduce this potential variability through well-defined certification procedures and routine auditor consistency events, some dependency remains on the individual auditor.
Other schemes require significantly more rigour in the assessment approach with consequentially higher costs, but if consistency in the resulting benchmark is required, then this may be a necessary overhead.
While it isn’t intended that TickITplus be overly prescriptive in defining the audit practices that are applied by certification bodies, it is intended to improve the level of consistency being undertaken by assessors in conducting assessments. This has been done in a number of ways:
TickITplus provides clearly specified requirements on what needs to be done to achieve a process through the base practices and what the typical work products should be. It is no longer just guidance, as was the case under TickIT.
The scheme defines, through adoption of ISO/IEC 15504, a clear set of components that need to exist in every case, including the Base Process Library, defined by the scheme, a Process Reference Model that must be produced by the organisation and a Process Assessment Model that has to be completed by the assessment team.
The actual rules for conducting a TickITplus assessment are formally defined in the Core Scheme Requirements that has to be adopted by certification bodies, who are assessed and accredited by the UK Accreditation Service
The benefits for organisations, and for the whole third party certification industry, are that the results of the assessment will be more comparable across the TickITplus user base. This will offer customers a better indication of an organisation’s process capability and, as the capability levels increase, potential risk areas that can then be understood and mitigated by the customer as necessary.
Clearly defines process outcomes
One of the strongest elements within the TickITplus scheme is the identification of defined outcomes for each and every process within the BPL. In the past significant emphasis has been placed on work products, particularly the retention of records to provide evidence of process use and its effectiveness. However, organisations do not primarily operate processes to produce records, but instead they are intended to achieve a particular result or an outcome. This said, most processes do actually result in some form of output or record. While auditing outputs or records provides an indication of the process compliance to planned arrangements, it doesn’t necessarily provide any indication of the effectiveness of the process. The result or outcome does.
For example, if the design review process is considered, the outputs or records could be things like a design review record, comments on the design, corrective actions, an approved design etc. None of these would actually provide a clear indication that the design review was effective, only that it complied with the planned arrangements. The only way to establish whether the design review was effective would be to look at the subsequent process that was implementing the design into a product and to see whether there were any issues or concerns arising that should really have been detected as part of the design review.
In a similar way, the training or learning and development process can produce numerous outputs such as training records, skill matrix updates, certificates, course feedback forms, etc., but none of these actually indicate how effective the training has been. They all confirm that the training was undertaken and some indicate actually what it was like, e.g. the feedback form, etc., but the only real way to establish whether the training was effective would be to examine the resulting outcome. Here, the outcome would typically be expected to be someone with a new skill or to do something more competently.
One of the problems with result and outcomes is that it is harder to witness or observe the correlation between the process and its desired outcome. Another, although related, problem is that the standards and models that exist today do not clearly identify what these outcomes might look like. It is therefore difficult to find a consistent benchmark on which to judge effectiveness during an assessment.
TickITplus addresses consistency of assessment by providing a define relationship between outcomes and processes. Here, every process in the BPL has at least one defined outcome which aims to describe the effect of implementing the processes in an efficient manner. At the Foundation and Bronze levels the outcomes do not need to be formally demonstrated, but they do at the Silver level and above2.
This provides a consistent approach to conduct an assessment of the effectiveness of a process and also provides the organisation with an invaluable insight into the operations of their processes. This is intended to promote real and focused business oriented process improvements, rather than improvement to processes based purely on the outputs or lack of outputs. For example, the outcome for the verification process (TEC.4) is stated as “Work products are shown to meet their specifications following verification without rework”. Firstly, rework in the actual verification process may always be necessary as a result of conducting the verification3. Nevertheless it is clearly desirable to avoid subsequent re-work because the verification activity wasn’t effective, or missed something. The big issue here is often that organisations don’t actually know how much rework is being undertaken, and when they do they don’t correlate it back to the process that introduced the defect. This might be down to not seeing the cause and effect or, in TickITplus terms, the process and its desired outcome.
The outcomes defined in TickITplus provide an indication of the intended results for each process and encourage an organisation to implement measurements to monitor the performance of their processes and thereby formulate objectively defined process improvement targets. For example, in the case of TEC.4 (above) it might be ‘to reduce the subsequent rework caused by an ineffective verification process by 5% over the next year’.
Promotes real business improvement
The opportunities here are very much based on the combination of all the other benefits mentioned previously. The whole aim of TickITplus is to enhance the approaches that organisations use to implement, manage, improve and assess their business processes. Again, the focus here is on moving from “conformance to performance” by identifying the real business processes and improving them through formal analysis of empirical data from their performance.
In summary the business benefits result from:
a clearly defined process based model;
the inclusion of defined process outcomes by which process effectiveness can be determined;
reduced process maintenance and assessment disruption by mapping multiple standards into one model;
reduced risk through defined process capability levels that lead organisations to mature their processes;
better improvements, based on more reliable and comparable assessment results;
greater take-up and buy-in to the management system through the engagement of organisational Practitioners and their direct involvement in assessments.
Finally, the TickITplus scheme is your scheme and will grow and develop under its framework to address new technologies and approaches as they evolve. JTISC is already looking at additional standards and schemes such as the PAS 745 for trustworthy software and ISO 61508 for safety critical developments. The TickITplus website is evolving and discussion is growing on the social media sites such as LinkedIn, Twitter and Facebook. Scheme changes are encouraged from the user community and the online change request form enable easy feedback for future improvements.
Ultimately, if we could, we would aim to improve the processes that need to use the verification process to such an extent that we would not need to to use it in the first place; that's a discussion for another time.