ISO/IEC 15504 part 2 identifies two dimensions necessary to conduct capability assessments; the capability dimension and the process dimension. The capability dimension is made up of a measurement framework consisting of five, maturing, levels defined in terms of process attributes and associated generic practices - this is discussed further in the section on TickITplus Levels. The second dimension relates to the set of processes that are assessed against the attributes and practices to identify the capability level for each process - this is the topic of this section.
The specific term used by ISO/IEC 15504 for this process set is the Process Reference Model or PRM. It also requires the domain and scope of the PRM to be identified and defines the required structure of a process within the PRM. In practice, therefore, it would be possible for any organisation to identify its set of processes and for an ISO/IEC 15504 compliant assessment to be conducted. The domain and scope of the PRM would simply represent that of the organisation. However, if this were to be repeated by multiple organisations, while possible, there would potentially be no consistency between organisational PRMs and hence no industry-wide basis for evaluating the results.
The TickITplus scheme addresses the consistency aspects by identifying a set of 40 processes that is believed to cover the majority of IT related activities and services. The domain and scope of the set of processes is equivalent to the scope of the TickITplus scheme - in essence, the IT industry sector. However, TickITplus could not call its set of processes a Process Reference Model because the processes are generic - they are not actually implemented in practice for an assessment to be conducted on them. The term Base Process Library (BPL) was therefore chosen to represent the complete set of 40 TickITplus processes from which organisations would select their processes.
The definition of a TickITplus process complies with the requirements identified in ISO/IEC 15504 and consists of:
A purpose statement
One or more process outcomes
Multiple Base Practices
One or more input and/or output Work Products
Additionally, and in order to provide the links into certification audits, each Base Practice may provide references to one or more requirement or references standards such as ISO 9001 or BS 25599.
The set of 40 processes has been constructed mainly from processes identified in existing standards such as ISO/IEC 12297, ISO/IEC 15288 as well as those established through requirement standards such as ISO/IEC 20000-1 and ISO 27001. In order to accommodate the selection and use of process subsets for different IT sector activities, while ensuing mandatory processes are identified to satisfy ISO 9001, the processes are categorised as Type-A (required), Type-B/C (scope dependent) and Type-M (for high maturity). Type-B/C processes become either Type-B or Type-C by the selected organisational scope and those classed as Type-B are then required to be implemented like Type-A; Type-C remain optional but should be considered if they provide business benefits.
Process Reference Model
Once an organisation has identified its scope, the required set of processes from the BPL will become known through the selected Scope Profile. The selected set of processes is known as the organisational Process References Mode (PRM) which is used as the basis for developing or improving the management system and conducting capability assessments.
However, as they stand the set of BPL processes chosen by the organisation are still written in a very generic manner and do need to be 'translated' into organisational terminology for its processes, practices and work products. The translated organisational processes are referred to as 'Defined' processes. This is the main function of the organisational PRM.
While the complete set of 40 TickITplus BPL processes tries to cover all business, operational, technical and improvement activities, it is recognised that for some of the processes there may well be multiple approaches undertaken in an organisation. For example, the BPL includes a generic process for Risk Management but an organisation may undertake risk management in two very different ways; one for corporate risk management and another for project risk management. Therefore in this example, the PRM will identify two defined processes for the generic BPL risk management process.
Process Assessment Model
The third main component of TickITplus is the Process Assessment Model (PAM) which is used to manage and record the capability assessments. The Process Assessment Model is derived from the organisational PRM and brings together the two dimensions (capability and process) identified in ISO/IEC 15504 part 2. The external assessor is responsible for the construction of PAM but will require significant input from organisation’s practitioners.
In summary the PAM includes one entry for each of the defined processes identified in the organisational PRM. The entry consists of the outcome, base practices, work products, process attributes, generic practices and implemented process sample. The implemented process sample is the term given to identify where the process is undertaken in practice within the organisation and is made up of work groups, e.g. projects, functions, service groups etc. The sample is the set of examples used during the assessment to provide demonstrable evidence of implementation.
Once the assessment has been completed, see the section on TickITplus Assessments for further details, the PAM will record the results of the assessment in terms of findings requiring corrective action, an indication of the capability level of the processes and of the overall organisational maturity.