What is TickITplus?
TickITplus is more than a certification scheme and covers more than software development. It is intended to offer a flexible, multi-level approach to IT quality and certification assessment and can be applied at whatever level is deemed appropriate to the quality and process maturity of the organization and the needs of its customers. If multiple IT standards need to be addressed, these can be covered under one certification arrangement.
TickITplus was launched in 2011 by BSI's JTISC (Joint TickIT Industry Steering Committee). The principal aims of the scheme are to capitalize on the strengths of TickIT, whilst recognizing the changes in today's world of software development. Some of the key goals are to:
- adopt a full process-driven approach to business systems management
- introduce capability assessment concepts
- accommodate multiple requirement standards, e.g. ISO 9001, ISO/IEC 20000-1 (IT service management) and ISO/IEC 27001 (information security management
- strengthen the commitment to improvements
- enable collaborative assessments to be undertaken more formally.
From its launch, TickIT only ever provided guidance on the interpretation of ISO 9001 and, although the use of processes was encouraged, because it was tied to ISO 9001, it was still predominantly requirements-driven. The 2000 edition of ISO 9001 significantly strengthened the process-based approach, but in essence it still remained requirements-driven, even though the TickIT Guide Issue 5 incorporated the process definitions of ISO/IEC 12207 to provide guidance on the use of good software lifecycle processes. By comparison, newer requirements standards, such as ISO/IEC 20000-1 and ISO/IEC 27001, have emerged which are more clearly process-based.
Many companies have created integrated management systems and have requirements for combined assessments. This is particularly relevant when organizations are adopting closely related standards such as ISO 9001, ISO/IEC 20000-1 and ISO/IEC 27001. The benefits are clearly seen through easier deployment of processes, greater cost effective maintenance and more efficient third-party assessments.
Forty processes have been defined. Collectively, they cover business, engineering, functional and support activities, and are contained within a database maintained by ITA, called the BPL (Base Process Library). Processes are grouped into one of six defined categories.
The scheme has been designed to allow combinations of IT-related requirement and reference standards to be mapped into the BPL, which currently include ISO 9001, ISO 20000-1 and ISO 27001 - both the 2005 and the new 2013 versions. As the scheme develops, further requirements and reference standards could be added according to demand, such as:
- IEC 61508, Functional safety of electrical/electronic/programmable electronic safety-related systems
- ISO 22301, Business continuity management.
- ISO 26262, Road vehicles – Functional safety
- PAS754, Software trustworthiness – governance and management - specification
The TickIT scheme has existed since the early 1990s and, although it has been at the forefront of encouraging good IT engineering, auditing and certification practices, it is now becoming outdated. In the early 1990s, TickIT was introduced primarily to address issues within the classic software development areas. Over the years, IT provision has significantly diversified and there is now much less bespoke development being undertaken. There is greater emphasis on, for example, package adaptation, system integration and configuration, internet applications, etc. There is also an increasing trend towards the provision of IT-related services, with the associated availability and security concerns.
Another consequence of being tied to ISO 9001 was that TickIT audits could only result in a pass or a fail and this is now seen as a serious limitation. Customers are starting to need, and even demand, clearer indications of supplier performance in key business processes, such as risk management, to provide better criteria for supplier selection. One very strong indication of process performance can be established through capability assessments complying with ISO/IEC 15504-2.
TickITplus addresses all these aspects through:
- defining a core set of well-defined processes that provide complete coverage for a range of organizational activities
- adopting graded levels of process capability assessment and a maturity approach based on ISO/IEC 15504-2
- providing mappings between the core processes and combinations of requirement and reference standards
- introducing the concept of having formally trained practitioners within an organization to support ongoing improvements, promote higher levels of process capability and benefit from closer involvement in assessments.
TickITplus defines five levels of maturity of an organization, consistent with the requirements stated within ISO/IEC 15504-2. These levels are, in ascending order, Foundation, Bronze, Silver, Gold and Platinum. Levels from Bronze to Platinum are progressed by determining whether an organization has complied with certain process attributes by means of capability assessments. Compliance at the Foundation level is determined by making sure that an organization has identified processes correctly and is operating those processes. It is recognized that existing TickIT organizations will want to progress through the graded levels at their own pace and as improvements allow. Consequently, the Foundation level exists to allow organizations to progress to TickITplus with minimal effort and then start their process maturity journey.
These would then be mapped across to the existing or enhanced processes. Furthermore, as these standards are reissued, the Base Process Library will be updated to accommodate the changes to the underlying standards.