[ISM3 Users] Tuesday Insight: Blast from the Past - Maturity Models

[Vicente Aceituno]

***Note***
I hope you don't mind if for the rest of the summer, I post the best
messages from the old YahooGroups mail list.

Doing so, all interesting posts will be in the new mail list Archives,
and new mail lists members can learn interesting tidbits about ISM3.

****Maturity Models****originally posted Thu Jun 1, 2006 2:12 pm***
Hi,

As most of you will know, ISM3 is maturity model.

Maturity models are normally represented in two alternative ways:
Continuous and Staged.

In CCMI, the staged maturity levels are:
-Initial (ad hoc)
-Managed
-Defined
-Quantitatively Managed
-Optimizing

while the continuous ones are:
-Incomplete
-Performed
-Managed
-Defined
-Quantitatively Managed
-Optimizing

In ISM3 we use a mix of these representations. All accreditable ISM3
processes are ISO9001 compliant, this is equivalent to Defined in the
continous representation. On the other hand, on the staged
representation, higher maturity means a more complete ISMS, not a
complete ISMS with continous maturity lower or higher than "Defined".

Thinking about actually testing for maturity, auditing if a process is
Defined or not is a routinary task that all ISO9001 auditors are used to.

Some people asked why ISM3 doesn't use other higher continous maturity
for processes. There are several reasons.

First of all, the model is complex as it is. I think that ISM3 has to
be more widespread before making further improvements. They say
"perfection is an enemy of goodness" in Spanish.

Secondly, I feel CMMI has failed to accurately define maturity. It
doesn't make sense to define levels that are not signicantly different.

For example I find these definition vague:

-"Focus on process improvement"
-"Process measured and controlled"
-"Process characterized for the organization and is proactive"
-"Process characterized for projects and is often reactive"
-"Process unpredictable, poorly controlled, and reactive"

I think that the following definitions are accurate and testable:

1- UNDEFINED There is lack of evidence for the process being defined.
2- DEFINED There is evidence of the process being defined and used.
3- MANAGED There is evidence of the results of the process being used
for fixing and improving the process.
4- QUANTITATIVELY MANAGED There evidence of a procedure for accurately
predict the process milestones and need of resources.
5- OPTIMIZING There is evidence of improvement in the process leading
to a saving in resources.

Resources meaning (Time, Money, People, Hardware, Software,
Communications, Logistics, Space, Energy and Information)

Now, there is an important distinction to be made. An audit can't
predict future or present performance. When an auditor says "this
process is ISO9001 complaint" this means that any faults in products
or services won't be the result of the process not being defined. But
there could be other reasons, like lack of competence, dereliction of
duty, errors, etc.

So auditing the level of maturity for levels 3 and 5 (as defined in
this mail) doesn't have a power of prediction. The evidence of the
process being Managed or Optimizing could be anecdotal and never be
repeated.

So the only levels which can be meaningfully audited are 2 and 4, as
it is unlikely that an organization that can predict the cost and
duration of a project will suddenly forget how to do it, and once a
process is defined, the definition doesn't dissapear in thin air.

As of today, I feel ISO9001 and ISO27001 are ready only to check for
2-Defined level ISMS. The auditing of 4- QUANTITATIVELY MANAGED of a
management system will still have to wait...,ISM3 too.

My best

Vicente