Demystifying ITIL’s ITSCM

January 21, 2020

Mitigating technology, communication, and data risks are an integral part of business
continuity management. As such, it is essential for Business Continuity and Information
Technology Practitioners alike to recognize how the IT Infrastructure Library (ITIL), which
is a set of detailed practices for IT Service Management, is applied in the continuity of IT
services. Demystifying ITIL’s IT Service Continuity Management (ITSCM) helps
practitioners across various domains better understand how it can be adopted and
customized to serve both business and technology continuity requirements within an
organization.

The Business Continuity Institute (BCI) glossary of terms lists “business continuity
management as a holistic process that identifies potential threats to an organization
and the impacts to business operations. Those threats, if realized, might cause, and
which provides a framework for building organizational resilience with the capability of
an effective response that safeguards the interests of its key stakeholders, reputation,
brand and value-creating activities”. Many business continuity practitioners rely on the
BCI methodology and Good Practice Guidelines, Disaster Recovery Institute
International (DRII) Professional Practices, and a variety of standards like ISO 22301,
Security and Resilience – to guide in the design, implementation, and management of

1
business continuity services within an organization.

ITIL 4.0 utilizes a holistic approach that has evolved into a four-dimensional model that
includes organizations and people, information and technology, partners and suppliers,
and value streams and processes. Its service management framework provides a set of
processes commonly referred to as practices that are grouped into three categories
general management, service management, and technical management. Each
category contains a subset of practices, 14 general management, 17 service
management, and three technical management. Often elements of core messages
and service management practices are observed within other frameworks, methods,
and standards like Agile, COBIT, Lean, PRINCE2, and more.

ITIL 4.0 include contains 17 service management practices:

1. Business analysis
2. Catalog management
3. Service design
4. Service level management
5. Availability management
6. Capacity and performance management
7. Service continuity management
8. Monitoring and event management
9. Service desk
10. Incident management
11. Service request management
12. Problem management
13. Release management
14. Change control
15. Service validation and testing
16. Service configuration management
17. IT asset management

2
For Information Technology and Business Continuity Practitioners, one of the most
notable service management practices contained in ITL 4.0 is “IT Service Continuity
Management” (ITSCM). In part, this practice aims to manage risks that could seriously
disrupt IT services. It does this by focusing on risk identification, resource leveraging, use
of cost-justifiable mechanisms, and major incident identification and response to
protect the infrastructure and enable recovery of the business services delivered by the
IT function. Contained within this service management practice is also a list of sub-
processes and objectives determined by industry experts, consultants, and practitioners
as good practices.

• ITSCM Support – to ensure all members of IT, staff, with responsibilities for
responding to disasters are aware of their exact duties, and all relevant
information is readily available when a disaster occurs.
• Design Services for Continuity – to design appropriate and cost-justifiable
mechanisms and procedures to meet the agreed business continuity targets,
which includes the design of risk reduction measures and recovery plans.
• ITSCM Training and Testing – to ensure that all preventive measures and recovery
mechanisms for the case of disaster events are subject to regular testing.
• ITSCM Review – to review disaster prevention measures are still in line with risk
perceptions from the business side and to verify if continuity measures and
procedures are regularly maintained and tested.

Seasoned practitioners who’ve used ITSCM in part or full often view it as the technical
arm of business continuity management. And one that must be kept aligned to the
business continuity lifecycle and part of the overall continuity strategy, priorities, and
plan.

Basic similarities exist between ITIL’s ITSCM and other business continuity management
standards and methodologies used by practitioners, for example:

• Performing a business impact analysis to prioritize core business processes and IT

application recovery

3
 • Completing a risk assessment for each core business function and IT service to
identify assets, threats, vulnerabilities, and controls
• Evaluating business requirements and recovery options
• Designing and implementing a continuity plan
• Reviewing, testing, and revising the continuity plan regularly to maintain
alignment with changing business impacts, needs, and lessons learned

Success in the business continuity world is primarily defined by how efficiently and
effectively an organization can reduce risk and thwart off a business disruption before it
can cause severe financial loss, regulatory breach, or damage brand and reputation.
ITIL’s ITSCM is easily demystified and far more, reaching than just a disaster recovery
plan. Its ultimate goal is meant to support the Business Continuity Management process
by ensuring that the required IT technical and service facilities, including local
machines, networks, applications, telecommunications, technical support, and service
desk, can be effectively recovered within required and agreed business timelines.
Being knowledgeable about ITIL and the application of ITSCM practice, processes, and
objectives offer an opportunity for both Information Technology and Business Continuity
Practitioners to collaborate closely, design, and implement continuity planning solutions
within the IT domain to ensure that the end-to-end IT environment survives during a
severe or catastrophic event.