There are many ITSM frameworks and standards. The diversity has not yet reached that of the insect world but it is growing fast.

At a conference that I attended in 2005, a senior member of the COBIT Steering Committee explained that COBIT was based on over 50 frameworks and standards. To tell the truth, I was astounded at the time to discover that there could be so many. Now there are even more – Darwinism is at work!

Since 2007, you have been able to buy a textbook that covers the leading 23 ITSM frameworks, although if you don’t work in the Netherlands or Belgium you might not have heard of some of them since they were devised and are mainly deployed in those countries. ITIL, certainly the most popular and globally deployed framework, includes in its V3 core volumes reference to at least five other frameworks and standards: COBIT, CMMI, PRINCE2, ISO 27002 and ISO 20000.

In my articles, I will be outlining not these but some of the less well known ITSM frameworks, hopefully encouraging readers to delve into these. There is a vast collection of free resources out there; each the work of a cohort of enthusiastic and experienced IT service managers working freely out of their love of the subject and their desire to improve the world.

I’m going to start by discussing four frameworks for Risk Management of ITSM. These are not that well known but, nevertheless, each moves best practice forward significantly, is easy to apply and all are free to download and use. The first framework I’m going to look at is MEHARI .

MEHARI V3 (Methode Harmonisee d’Analyse de Risques) 2007
MEHARI was developed originally in 1996 for Chief Information Security Officers, CIOs, risk managers and auditors by CLUSIF (Club de la securité de l’information français), based in Paris, France. It provides a comprehensive set of tools for risk analysis and risk management principally covering information security. It includes a risk assessment model and a security services reference manual for building a security framework. It claims to be totally compatible with ISO 13335, the risk management standard, providing a methodology and tools as required by the standard. It complements ISO 27001 and ISO 27002 by providing tools and methods to assist in choosing appropriate security measures and its coverage is wider than solely the security of information systems. The development team is currently working on how the MEHARI knowledge bases can be aligned with other standards and frameworks, particularly, ISO standards, Sarbanes-Oxley Act and COBIT. The target audience is security managers, auditors and risk managers. It is free to download and use. MEHARI’s knowledge bases and documentation are freely downloadable in full in English and French with the Introduction (only) in Arabic, German, Spanish, Italian and Romanian.

MEHARI: http://www.clusif.asso.fr/en/production/mehari/

Next time I’ll be looking at the Risk Management framework, OCTAVE from CERT, the same group that brought you the CERT Coordination Centre that manages security incidents, particularly on the Internet.

© 2009 Geoff Harmer