Standards: Profitability, Growth, and Industry Leadership

Dave Pavuk

By David A. Pavuk, J.D.
Director of Compliance and Efficiency
Trivalent Group, Inc.

If you are not already sold on the proposition that standards are highly beneficial, if not an absolute necessity, when it comes to information technology, you may be asking: “Why are they important?” and “What are the benefits of using them?”

Generally, there are a number of compelling reasons to adopt defined standards, and these apply equally to IT solutions.  Consider the following:

  • If the Wheel Exists?
    In today’s business world, time is a precious commodity. Why spend the time and effort needed to develop an ad hoc solution for each implementation when a proven solution based on well-designed standards can be used instead?
  • Use of Good (Best) Practices
    Good standards have been developed over time. The cumulative years of experience reflected in good practice models cannot be matched by any single effort.
  • Promote Auditability
    Standards help define and establish the baselines against which future performance can be measured.
  • Standards also help to:
    • Attract and assure customers
    • Demonstrate market leadership
    • Create a competitive advantage

Now that I have made my pitch for why every company should be using standards for their IT processes and solutions, I have a confession to make. While standards are good as a general matter, not all standards are right for every company. So, how do you choose which standards to use?

Thankfully, the answer is fairly simple. How a set of standards is chosen is largely influenced by the environments to which they will be applied. Generally, standards simply need to conform to the industries and areas they are intended to serve. Admittedly, though, it can be and often is confusing. Multiple standards will very likely need to be considered for each particular environment examined, and it is likely that some things which might appear to be the same are actually quite different.

Take, for example, the following two Information Technology Service Management (ITSM) standards:

  • ISO 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC). ISO 27002 provides guidance for information security management controls.
  • ITIL is a framework of best practice guidance in Information Technology Service Management (ITSM). It describes processes, functions, and structures that support most areas of IT Service Management, mostly from the viewpoint of the service provider. One of the many processes it describes is Information Security Management (ISM).

While at first glance, these two standards may seem to overlap, they are in fact completely independent, or, perhaps better stated, they are co-dependent. While ITIL recognizes the importance and role of Information Security Management, it does not qualify which security standards are appropriate or sufficient to achieve it.  ISO 27002, on the other hand, addresses more specifically a set of recommended practices against which a company’s security control processes can be measured. When viewed in these regards, ITIL provides the “how?” to ISO 27002’s “what?”  The two are very different things, indeed, but do serve the common purpose of ensuring security management. Confusing? Let’s keep it simple then. Standards need to conform to the specific areas they serve. One size may not fit all, and it is perfectly acceptable to have a set of standards rather than a single standard which is expected to meet all needs.

In short, IT solution standards are very powerful tools for organizations. They pave the way for consistent, reliable, and proven methodologies that enable businesses to minimize effort and the time needed for solution delivery/deployment, thereby enhancing profitability. Companies which consistently and correctly apply IT solution standards take a leading role in shaping the industries they serve.