Sign in

ITIL 4 and the Cloud White Paper

White Paper

ITIL 4 and the Cloud White Paper

White Paper

  • White Paper
  • Customer engagement
  • Governance
  • Value
  • ITIL

Author  Mark O'Loughlin

February 14, 2019 |

 35 min read

  • White Paper
  • Customer engagement
  • Governance
  • Value
  • ITIL

As the traditional IT landscape shifts, the IT model that has served us well in the past has changed significantly. This paper discusses the impact of cloud on ITSM and ITIL roles and how it can help organizations provide a better service for their customers.

There is an on-going shift in the world of IT that is disrupting both the IT function and the organization itself. We are experiencing significant change in areas such as:

  • IT technologies
  • management of IT
  • business models
  • attitudes, behaviours, and culture.

As the traditional IT landscape shifts, the IT model that had proven successful has evolved significantly. New digital technologies require organizations to change or adapt their business models. This digital transformation is being driven by emerging technologies, for example:

  • cloud
  • Big Data
  • Internet of Things (IoT)
  • intelligence (AI).

This technological change has been so significant that it is commonly referred to as the Fourth Industrial Revolution. However, if IT service management (ITSM) professionals and the IT function want to remain relevant in this new IT landscape, they need to fully understand what digital transformation is about. They also need to become leaders and trusted advisors in their organization on all matters relating to cloud. This is because cloud is the most common of the digital technologies being adopted today.

A significant difficulty facing ITSM professionals is where to start. What needs to be addressed to make a difference? Going back to first principles, the following is good advice:

  • Frameworks such as ITIL, DevOps, Lean and Agile can help the organization to structure activities to drive results.
  • Vendor-neutral training and education is important, as it helps the organization and IT professionals cope with hybrid cloud environments, i.e. multiple cloud services.
  • Vendor-specific technology training is equally as important, as digital technologies and their capabilities continue to evolve.

Upskilling IT professionals to deliver value, from digital technologies, as opposed to doing tasks, is a necessity, even if it remains a significant and often overlooked gap. Focusing on the technology alone will not deliver digital success, digital innovation, or digital value; it will only deliver new technology. So, what should we to do to ensure we deliver value?

Start by using a simple model, such as the BCC Model (Table 1).


Current and emergent practices, training and education
Emergent practices, training and education include ITIL, DevOps, AGILE, Lean, Cloud, Big Data, Internet of Things, Blockchain, Artificial Intelligence, etc
Providing technology training
Covering both vendor specific and vendor neutral technology training
Current and emergent practices, training and education and technology training
It is only by combining current and emergent practices, technology and education will organizational and business change occur to such a level where value is delivered, and change happens across the entire IT function throughout the organization.
BBC model is copyright of Red Circle Strategies 2019

This whitepaper looks at the way traditional IT service management practices have been impacted and challenged by the disruptive nature of cloud computing1. It also examines the way ITIL 4 can be utilized to meet the challenges that rise from the adoption of cloud-based services. It supplements ITIL 4, and stands in relation to ITIL 4, the CCC digital and cloud portfolio, and the Professional Cloud Service Manager (PCSM) certification. The summary concludes with a personal call to action. 1 Cloud computing will be referred to as ‘cloud’ or ‘cloud-based services’ throughout this white paper.

What is ITIL?

ITIL has led the ITSM industry with guidance, training, and certification programmes for more than 30 years. ITIL 4 brings ITIL up to date by re-shaping many of the established ITSM practices in the context of customer experience, value streams, and digital transformation, as well as embracing new ways of working, such as Lean, Agile, and DevOps. The guidance provided by ITIL publications can be adopted and adapted for all manner of organization and service, including cloud-based services.

What is cloud computing?

Cloud is a disruptive innovation that challenges and changes traditional business and IT models. It is disruptive because it changes how IT products and services are provided for both the consumer and the service provider. Cloud has moved the organization away from the traditional software licensing models and premises-based data centre hosting to ‘pay-as-you-go’ or utility-based pricing models. As the adoption of cloud increases, the organization has seen a reduction in the use of the IT infrastructure which they previously bought, operated and maintained. Cloud also changes the way the organization purchases, integrates, manages and consumes operations support, IT, and consumer services and applications.

In simple terms, cloud can be described as a revolutionary new model for technology and business:

  • Cloud uses new and emerging technologies.
  • It is provided to customers in a different way to traditional IT.
  • It is bought, operated and maintained differently from traditional IT.
  • It allows the organization to use IT infrastructure, platforms and software in new ways.

Because of these changes, the organization and individuals need to change the way they work.

There are similarities between cloud and cloud-based services and the definition of a service as defined in ITIL Foundation: ITIL 4 Edition:

A means of enabling value co-creation by facilitating outcomes that customer want to achieve, without the customer having to manage specific costs and risks.

The premise of cloud is that it allows IT, business, customer and consumer services to be provided with greater economies of scale, quicker, faster and cheaper and without the need for the service provider to own the entire IT infrastructure, platform, software or applications themselves. Peaks in demand for IT, business and customer services can be automatically provisioned for, leading to a pay-per-use model. A pay-per-use model can, in certain circumstances, lower the cost of service delivery by eliminating full ownership of back-end IT infrastructure, platforms, software and applications.

Cloud enables organizations to realize the following benefits:

  • reduces IT asset ownership
  • reduces overall capital expenditure costs (CAPEX)
  • reduces IT over-capacity
  • increases the capabilities of the IT organization
  • leverages newer technologies
  • provides utility-based charging
  • introduces real economies of capacity
  • enables resources to be scaled up and down quickly to cope with increases and decreases in demand for IT services.

Cloud is now ubiquitous in our lives. People and organizations use the cloud every day, often unknowingly. However, from an organizational perspective, the realization of the benefits from cloud and digital technologies is dependent on:

  • how well the organization adopts and uses cloud and digital technologies
  • having sufficiently trained IT professionals with technical and non-technical digital and cloud skills.

Impact of cloud on IT service management

The proliferation of cloud-based services does not change the fundamentals of what IT service management aims to achieve. The goal is to create quality products and services which are fit for purpose, fit for use and aligned to the strategic goals and needs of the organization.

However, cloud was born out of disruption. The latest developments in cloud and digital technologies allow the organization to develop new business models, which will give them a competitive advantage over traditional businesses. For example, Amazon continues to take market share from high street retailers while also disrupting traditional IT service providers. Software giants such as Microsoft are moving away from the traditional software licensing model to reinvent themselves as cloud-service providers.


Cloud is a form of outsourcing. In moving to the cloud, the organization outsources specific tasks and responsibilities to the cloud service provider. This leads to the organization, and the IT function as the internal IT service provider, to shift away from managing some of the technical aspects of delivering the service, including: IT process management; risk management; financial management; IT architecture; interoperability of systems; security; and IT service management in general.

Public cloud-based services are provided to the organization under contracts which have different metrics to traditional IT services. Availability is a key indicator of service provision of public cloud services. However incident resolution times, root cause analysis, change notifications and customer specific service level agreements are generally not defined for the customers of many public cloud-based services.

There is one fundamental aspect which will not change. The IT function and the organization must retain overall responsibility for the end-to-end design, architecture, interoperability, security and risk management, etc. of the services they provide, no matter how much or how little of that service is outsourced to the cloud vendor. End-to-end responsibility cannot be outsourced.


Organizations need to modify their business strategies in line with the opportunities offered by cloud and other digital technologies. These modifications will filter down to the IT strategy, where they will help re- define the goals and objectives for how IT supports the needs of the business. Many organizations have not yet done this.

Research carried out by the CCC2 found:

...many IT and Service Management professionals, taking CCC classroom-based education continue to report that they have not seen a cloud-based IT or Business strategy. Some delegates report seeing an IT clouds strategy but only as a presentation or set of slides. More worrying is the large number of delegates who report that, prior to taking a professional Could Service Management course, they would not know what should be included in a cloud strategy document. This is not surprising as many organisation and professionals do not understand the basics regarding the context of cloud.


When organizations adopted guidance from previous versions of ITIL, they generally selected processes from the service transition and service operation stages of the lifecycle, including: incident, problem and change management; service request fulfilment; event management; and configuration management. Taking these processes as examples, how would they be affected when an organization outsources their IT to the cloud?

Table 2 presents fictitious scenarios based on real-life challenges from the point of view of a variety of roles within the organization. Many of the issues do not get addressed, frequently because the IT function lacks the guidance to determine the best course of action.

Table 2. Possible issues faced in a typical organization

Role/process Typical questions and concerns
Incident manager How do I manage, restore and report on incidents which occur in a cloud-service providers’ environment, where I have no control over what they do, and I have no access to their IT environments?

How do I restore a service when there are multiple-cloud providers providing a part of the service and they each blame the others?

How do I report the expected incident resolution fix-time to the CIO when our public cloud email application goes offline?

Our cloud service provider will not tell me.
Problem manager Why won’t the public cloud service provider provide root cause analysis (RCA) for the major application problem we had last week?

I am under pressure to provide the CIO a reason other than ‘cloud-failure’; the CIO needs to report to the board
Change manager Do we still need a change advisory board (CAB) or our weekly two-hour change approval meetings?

How do I manage and report change activity which occurs in a cloud service providers’ environment?

Why are DevOps teams allowed to make changes without following our change process or procedures?

Is my role being outsourced to the cloud?
Availability manager How do I ensure availability of systems, applications and services when I cannot control or manage the parts provided by cloud service providers?
Service level manager How do I report our typical IT service management metrics to management?

I do not get metrics from public cloud service providers. Even when they provide me with the monthly availability measurements, they differ from the availability we measure for many of the other cloud-based infrastructure, services and applications we use.
CIO Have I just lost control of the IT function?

IT seems to be provided by a number of different cloud service providers, but no-one seems to be accountable. Worse still, the cloud providers are only responsible for certain pieces of each service and they won’t talk to each other when problems arise.
Finance manager I was told that moving to the cloud was going to save us a lot of money. I have not seen any savings to date. Why not?

Who is controlling the OPEX budget?

Actually, never mind that: who is spending the OPEX budget and on what? Our monthly spend on cloud seems to be increasing but I don’t know why and can’t see any additional revenue coming into the business from this extra spend. The CIO does not seem to know either, which is a concern.
VP of products I asked IT to ensure that our online shop would be always available during the busy shopping period. We requested that IT integrate two new forms of online payment wallets. In addition, we need to analyse purchaser shopping preferences from the customer’s previous visits using some form of analytics, which IT refer to as their big data capability. However, I have yet to see any of this working consistently. So much for this cloud and digital revolution I keep hearing about!
Head of marketing We decided to use a public cloud-based service to run this years’ marketing and social media

The CIO said we cannot use the cloud service which we have subscribed to due to some problem with our data existing on a server outside the European Union. I don’t
understand what this means, and I don’t really care. Anyway, doesn’t cloud do away with the need for servers these days?

The cloud service we signed up to is really good value and does what we need it to do. However, IT needs to sort out single-sign-on and to make the cloud system work with our CRM application. They seem to be having problems with
this, as usual.
All roles How are we to change and adapt our current work practices to be more agile and flexible, and to work with DevOps and Lean ideas? How are we to benefit from using cloud where problems are solved, not introduced?

Further analysis conducted by the CCC reveals that:

The above scenarios are still common today. In order for organisation and IT Professionals to deal with and find answers to these questions and challenges, they need to understand the context of what the cloud is. Context requires more than just a working definition of cloud.

The CCC conducts research on a continual basis. Research methods include; global surveys, industry analysis, expert panel reviews and pre-and-post classroom surveys. Findings are also published in CCC reports and whitepapers.

ITIL 4 updated for the digital world

ITIL 4 champions the use of modern technology and addresses the challenges of modern IT service management. It presents a flexible, coordinated and integrated framework for the effective governance and management of IT-enabled services.

The key components of the ITIL 4 framework are the service value system (SVS) and the four dimensions model.

5.1. SVS

The SVS, shown in Figure 1.1, represents the way the activities of the organization combine to create value through IT-enabled services. The SVS facilitates integration and coordination of the activities and provides a strong, unified, value-focused direction for the organization.

The service value lifecycle

Figure 1.1 ITIL Service Value System

The core components of the SVS are:

  • ITIL service value chain
  • ITIL practices
  • ITIL guiding principles
  • governance
  • continual improvement.


The ITIL service value chain provides an operating model for the creation, delivery, and continual improvement of services. It is a flexible model that defines six key activities that can be combined in many ways, forming multiple value streams. The service value chain is flexible enough to be adapted to multiple approaches, including DevOps and centralized IT, to address the need for multimodal service management. The adaptability of the service value chain enables the organization to react to changing demands from their stakeholders in the most effective and efficient ways.


The flexibility of the service value chain is further enhanced by ITIL practices. Each practice supports multiple service value chain activities, providing a comprehensive and versatile toolset for ITSM practitioners.


The ITIL guiding principles can be used to guide the organization’s decisions and actions. They ensure the organization has a shared understanding and common approach to service management. The ITIL guiding principles create the foundation for the organization’s culture and behaviour from strategic decision-making to day-to-day operations.


The SVS includes governance activities that enable the organization to continually align its operations with the strategic direction set by its governing body.


Every component of the SVS is supported by continual improvement. ITIL provides the organization with a simple and practical improvement model to maintain their resilience and agility in a constantly changing environment.


ITIL 4 outlines four dimensions of service management from which each component of the SVS should be considered to ensure the service is viewed holistically. The four dimensions are:

  • organizations and people
  • information and technology
  • partners and suppliers
  • value streams and processes.

By giving each of the four dimensions the appropriate time and attention, the organization ensures their SVS remains balanced and effective.

Service value system and the cloud

The ITIL SVS describes how the components and activities of the organization work together as a system to create value. It can be adapted for cloud-based services. The SVS provides a useful structure to ensure the organization uses the right cloud-based services, for the right reasons and in the right way, aligned to the needs and requirements of the governing body and stakeholders.


The ITIL guiding principles can be adapted for cloud-based services and aligned to disciplines such as: architecture; strategy; procurement; velocity of change; budgeting and financial controls; capacity and performance management; availability; training and education, etc.


Governance activities enable the organization to align their choices and use of cloud-based services with the strategic direction set by the organization’s governing body and stakeholders. It is critical to consider how cloud-based services will be directed, controlled and monitored when parts of the service are not accessible by the organization, and contract terms, conditions and service levels may not be negotiable.


The ITIL service value chain can be adapted to deliver cloud-based services.

The defined activities may be generic in some cases, whereas in others they might be specific e.g. a specific cloud service from a specific cloud vendor.

Practices and continual improvement and the cloud


Practices are sets of organizational resources designed for performing work or accomplishing an objective related to the full lifecycle of a cloud service. ITIL 4 has relabelled what were previously referred to as processes as practices. By using cloud-based services, organizations are able to reduce tasks for some of the practices, as these will be carried out by cloud service providers.

For example, with public cloud email services, the service provider is responsible for maintaining the entire back-end infrastructure behind the email service, including the management of incidents, problems, changes, releases, changes, capacity, etc.

Many organizations who need to integrate cloud-based services with their traditional IT and business services are likely to retain the processes and practices that allow them to manage incidents, problems, changes, releases, changes, capacity and availability from an end-to-end, holistic perspective.

Accountability for the overall service will remain with the organization that procured the cloud service.


Continual improvement is a recurring organizational activity performed at all levels to ensure the organization’s performance continually meets stakeholder expectations.

ITIL 4 supports continual improvement through the ITIL continual improvement model. A holistic approach to the continual improvement of the SVS of cloud-based services should be aligned with the continual service improvement practice.

High level areas to consider include:

  • how can cloud improve existing services?
  • how to deliver value and outcomes to the organization through cloud-based services, rather than managing infrastructure task and activities
  • how to improve the organization’s use of cloud, reducing the time and effort of managing back-end infrastructure and application code.

Continual improvement is not exclusive to ITIL:

  • Lean methods provide perspectives on the elimination of waste.
  • Agile methods focus on making improvements incrementally at a cadence.

DevOps methods work holistically and ensure that improvements are not only well designed but also effectively applied.

Adapting the service value chain to the cloud

A service value chain is a set of interconnected activities that the organization performs to deliver a valuable product or service to its consumers and to facilitate value realization. Although the service value chain operating model is generic, in practice it can follow different patterns called value streams.

The service value chain can be adapted to multiple approaches, including DevOps and centralized IT, to address the need for multimodal service management. The adaptability of the value chain enables the organization to react to the changing demands of its stakeholders effectively and efficiently.

The flexibility of the service value chain is further enhanced by ITIL practices. Each ITIL practice supports multiple service value chain activities, providing a comprehensive and versatile toolset for ITSM practitioners.

Table 3 shows the six activities within the service value chain which lead to the creation of products and services and, in turn, value.

The six value-chain activities are:

  • plan
  • improve
  • engage
  • design and transition
  • obtain/build
  • deliver and support.

Value chain activity Products and service example
Plan The purpose of the Plan activity is to ensure a shared understanding of the vision, current status, and improvement direction for the four dimensions and the organization’s products and services.
A cloud Plan should be aligned to the overall business strategy, and should include take into consideration the needs of the business and IT stakeholders. It should include:

- policy statement
- organizational vision
- organizational objectives
- key drivers for adoption
- risks and issues
- individual policy statements
- glossary.

Examples of individual policy statements include:

- use of public or private clouds
- data location and retrieval
- legal and regulatory compliance requirements (in particular, with regard to the storage of data)
- privacy of data, organizational information and secrets
- skills requirement
- data retrieval
- cloud exit criteria/capability (this is very important and almost always overlooked).

The glossary should contain a brief explanation of the five characteristics of cloud, the four cloud deployment models, and the three cloud service models as defined by NIST.*
Improve The purpose of the Improve activity is to ensure continual improvement of products, services, and practices across all value chain activities and the four dimensions of
service management.

In some instances, it is the cloud service which can be improved. In other instances, cloud will bring an improvement to the existing service, application, IT component etc.

If cloud is adopted for the right reasons and in the right way, it should bring improvements for both IT and the business.
Engage Initially, the purpose of the Engage activity is to foster an understanding of stakeholder needs, to offer transparency of process, and to maintain continual engagement and good relationships with stakeholders.

When adopting a cloud-based service for the first time, it is important to engage with stakeholders, to understand the strategy, to discuss the needs and requirements with customers, and to understand end user expectations.

The organization will need to engage with the cloud service provider in order to access their services. This could be as simple as creating a customer accountand providing billing details for a credit card. It could be as complex as
having to work through a Request for Proposal (RFP) process.

Engagement also happens once the cloud-based service is up and running. It is important to continue to engage with product and service owners, technical teams, users of the cloud services, and to align future actions with
the overall cloud strategy.
Design and transition The purpose of the Design and transition activity is to ensure that products and services continue to meet stakeholder expectations for quality, cost, and time to market.

The design and transition of a cloud-based service may take time, as it can be complex. It is a good idea to approach the service as a project. Equally, it might be wise to approach the service as a minimal viable product.

Once in place, many of the ongoing design and transition activities for cloud- based services can be handled using DevOps or Agile methods, which would allow the workload to be handled in short, incremental bursts, which would initiate a higher velocity
of change.

Please note: some changes are not suited to a high velocity.
Obtain/build The purpose of the Obtain/build activity is to ensure that service components are available when and where they are needed, and that they meet agreed specifications.

With cloud-based services, there is less need to build back-end infrastructure, platforms or applications, as they come as part of the cloud service.

Most cloud-based services have to be subscribed to in order to gain access. Frequently, they have to be configured to work with the organization’s existing IT infrastructure and services (which
may contain other cloud-based services).

Once in place, the build phase for cloud-based services may refer to building required improvements.

Wherever possible, it is good practice to automate build activities including testing and validation, using relevant continual integration/continual deployment (CI/CD) toolchains.
Deliver and support The purpose of the Deliver and support activity is to ensure that services are delivered and supported according to agreed specifications and stakeholder expectations.

Initially, a new cloud-based service is provided. This could be a technical cloud service for the IT function or a software application to be used by business users, customers or consumers, the
ongoing activity would support and maintain the service.

Many cloud vendors manage incidents, problems, changes, and levels of availability and capacity as part of their service delivery. This reduces the activities the organization has to take on themselves.

In the event of a cloud-based service going offline, the organization could be left with limited information regarding service restoration.

In many cases, once a cloud service, such as IaaS, PaaS and SaaS3 is in use, the engage, design and transition, and obtain/build stages of the SVS can be automated using automated tool chains, leading to higher velocity of change in line with good DevOps practices.

* NIST. National Institute for Standards in Technology. NIST defined these basic characteristics of cloud.

3 IaaS Infrastructure as a Service, PaaS Platform as a Service, SaaS Software as a Service.

Value stream mapping

The fourth dimension of service management is value streams and processes, which are applicable to both the SVS in general, and to specific products and/or services. In either context, value streams and processes define the activities, workflows, controls, and procedures that are essential for the organization to achieve its agreed objectives. The objectives for cloud-based services should be documented within an organization-level strategy that is tailored to the cloud.

Applied to the organization and its SVS, the value streams and processes dimension is concerned with how the various parts of the organization work in an integrated and coordinated way to enable the creation of value through products, services and in this case, cloud-based services.

See Appendix A: Examples of Value Streams in ITIL Foundation for examples of how the SVS model can be used to develop appropriate value stream mapping. Apply this approach, along with the templates in Appendix A.4, to cloud based-services.

Service financial management

Traditionally, IT costs and allocations came from a fixed budget which funded the IT function and its services. Hardware was a capital expenditure (CAPEX), which could be written off over several years. However, cloud services are consumed as utilities, which are paid for from the operational budget, (OPEX).

ITIL Foundation: ITIL 4 Edition states:

The emergence of new technology has affected the way that every organization manages its IT services from a financial perspective. Much of the current wave of technological evolution has been enabled by cloud computing, and this seems likely to continue for the foreseeable future. This has led to a major change in how IT services are obtained, funded, and paid for by organizations.

Traditionally, IT resources were obtained using upfront capital expenditure (CAPEX). However, under the cloud model, the provision of IT infrastructure, platforms and software is provided 'as a service'. This model generally uses subscription-based or pay-as-you-use charging mechanisms which are paid for out of operational expenditure (OPEX).

Another area that has seen change is the organization's approach to setting and managing IT budgets. Flexible IT budgets are required to meet the cost of scaling cloud-based services in an Agile and on-demand way. Fixed IT budgets often forecast months in advance, struggle to account for the scaling of IT resources in this way.

Procurement rules within organizations are also having to change. There remains a place for fixed-price IT projects and services; however, cloud-based digital services are generally sold under a variable-price model, i.e. the more you use and consume, the more you pay, and vice versa. Therefore, those organizations that have not updated their procurement rules to allow them to buy variable-priced IT resources will face a large self-made barrier preventing them from using cloud-based digital services. To be as effective as possible, organizations must update their polices and educate their staff to ensure that they can be purchase IT under a variable-priced model.  

The advice is to:

  • move away from inflexible budgets to flexible cost and charge models
  • establish proper billing mechanisms which charge departments and users based on usage, not pre-defined budgets.

Reducing capital expenditure is likely to lead to increases in operational expenditure, (though CCC research indicates this is not always the case). The organization needs to understand how to accommodate the increased operations expenditure in their budgeting. Some organizations may wish to put the CAPEX they save toward further IT projects. As such, it is important to identify the organization’s strategy for how they intend to pay for IT services, systems and applications. It is possible the organization will adopt a hybrid approach to capital and operations.

Service level agreements

Service level agreements (SLAs) lay out the minimum level of service delivered to the customer. As such, SLAs should be agreed in a wider business context and focus on what matters most to the customer.

ITIL Foundation: ITIL 4 Edition states the following:

Using SLAs may present many challenges; often they do not reflect the wider service performance and the user experience.

Service level management requires focus and effort to engage and listen to the requirements, issues, concerns, and daily needs of customers:

Engagement is needed to understand and confirm the actual ongoing needs and requirements of customers, not simply what is interpreted by the service provider or has agreed several years before.

Listening is important as a relationship-building and trust-building activity, to show customers that they are valued and understood. This helps to move the provider away from always being in 'solution mode' and to build new, more constructive partnerships.

Service level management involves collating and analysing information from a number of sources including:

Customer engagement - This involves initial listening, discovery, and information capture on which to base metrics, measurement, and ongoing progress discussions. Consider asking customers some simple open questions such as:
  • What does your work involve?
  • How does technology help you?
  • What are your key business times, areas, people and activities?
  • What differentiates a good day from a bad day for you?
  • Which of these activities is most important to you?
  • What are your goals, objectives, and measurements for this year?
  • What is the best measure of your success?
  • How do you base your opinion  and evaluation of a service or IT/technology?
  • How can we help you more?

This is good advice. However, there is one simple, but significant, consideration regarding cloud-based services to consider. Most public cloud-based services provide a generic form of cloud service to their customers and consumers. There is limited ability to change the overall service, including how it is presented and delivered. This reduces the cost of support, maintenance and upkeep of the service. As a consequence, the service provider expects the customer and consumer to accept the terms and conditions of their services, without negotiation, as we see with the many public cloud-based email services.

It is important to negotiate service levels for cloud-based services wherever possible. However, where service levels cannot be negotiated, consider the following:

1. Accept that the service levels for the public cloud service is non-negotiable.
2. Analyse
the service levels which will be provided for that service.
3. Review the full terms and conditions which govern the service.
4. Identify the differences in customer expectations against what is being offered by the service provider.
5. Update stakeholders on how their requirements differ from the service the provider is willing to deliver. This step is likely to require a change in their expectations. Upfront and early communication is critical.

A simple example is the public cloud-based email service which offers a minimum level of service availability. However, the IT department still logs and manages email issues under a priority response model, i.e. urgency + impact = priority. Worse still, the business expects the IT function to restore the email service within a specific timeframe e.g. a fix expected within one hour, which indicates a mismatch between expectation and reality.

It is important to consider:

  • Does your organization know and understand this change in service level?
  • Does your organization have IT professionals and staff capable of dealing with these common situations?
  • Does your organization currently have an expectation of what service levels they think they are getting, rather than what they are getting. How significant is the gap?

It is critical to understand that cloud-based service levels, especially for public cloud-based services, are generally very different from the traditional service levels and T&Cs that the organization has dealt with in the past.

DevOps, change control and velocity of change

Two important characteristics of cloud are on-demand self-service and rapid elasticity. These characteristics allow changes to cloud-based services to be made instantly. At a basic level, change velocity is a measurement of the speed at which IT changes can be made. On-demand self-service and rapid elasticity increase the potential velocity of change for cloud-based services.

Rapid Elasticity

Rapid Elasticity is the ability for a cloud-service to adapt to continual increases and decreases in demand for its resources. In rapid elasticity, supply of resource is closely matched to the level of resources demanded. For example, if the number of users buying from a website increased substantially at a given point in time, extra processing resources may be required. In this example, auto-provisioning of extra resources could be enabled where the extra resources could be provided automatically to the website when needed, and then reduced when the demand for resources lowers.

On-demand self-service

On-demand self-service is the ability for end-users, customers and consumers to provision cloud-based services or cloud resources themselves, in real-time and when needed. This is generally done through interfaces or web portals made available by cloud providers. On-demand self-service provide mechanisms to quickly increase or decrease cloud resources quickly; thus supporting the rapid elasticity nature of cloud-based services.

Cloud infrastructure enables faster deployment of new and changed cloud configurations settings, resulting in services that change quickly and with a high velocity. The ability to configure and deploy computing hardware with the same speed as new applications is a prerequisite for the success of DevOps and similar initiatives, which support the requirement of the modern organization for quicker time to market and more rapid digitalization of services.

Traditional waterfall-based release cycles tend to have a low change velocity, especially when compared with DevOps change activity on a cloud-based service. DevOps uses automation of the development and testing toolchain where possible to increase the velocity of change. This promotes a faster cadence (or cycle time) of CI/CD.

ITIL 4 acknowledges that a faster change velocity is critical for DevOps and is a requirement for many organizations. ITIL 4 introduces a practice called change control (not to be confused with the change management process). The purpose of change control is to ‘maximize the number of successful IT changes by ensuring that risks have been properly assessed, changes have been authorized to proceed, and the change schedule is properly managed’. There are three types of change that are managed by change control:

  • standard changes
  • normal change
  • emergency change.

Cloud-based services can be affected by any of these types of change. Standard and normal changes can be used to formalize high velocity DevOps changes on cloud-based services. In many cases, the goal is to automate as much work as possible to achieve continuous integration and continuous delivery. High velocity DevOps changes will be classed as either standard or normal, even if specific DevOps toolchains are used to record, approve, implement, test and verify the change. This type of high-velocity service delivery can bring the following benefits:

  • focus on fast delivery of new and changed IT services to users
  • integration of product and service management practices
  • extensive automation of the service delivery supply chain.

However, market analysis undertaken by the CCC2 and the DevOps Agile Skills Association (DASA) shows that:

  • Many organizations attempt to introduce DevOps practices, only to be slowed down by:
    Inflexible and bureaucratic processes
  • Inflexible people, command-and-control-management
  • Not implementing automation and correctly configured toolsets to support incremental increases in change 
  • Strict adherence to all change requests having to be approved via a change control board or meeting e.g on a weekly or fortnightly schedule

If the organization is to adopt DevOps successfully, it will need to take an agile approach. Agile is a timeboxed, flexible, and adaptive approach to IT that allows for a rapid response to change through the collaboration of small, cross-functional teams. Agile ways of working give development teams autonomy and allow them to self-organize, and the methodology promotes collaboration between customers, users, and development teams at every opportunity.

From an ITIL perspective, SVS supports many approaches, such as Agile, DevOps and Lean, as well as traditional process and project management, with a flexible value-oriented operating model. From a cloud perspective, the on-demand self-service, rapid elasticity, and resource pooling characteristics of cloud- based services are ideal for an Agile/DevOps environment.

It is important to consider how risks are managed when taking an Agile approach to software development, as the risks are different to those faced with a waterfall model. Many controls and governance structures that are required to manage risk under a waterfall model will have to be adapted and modified to work in an agile CI/CD environment.

However, care must be taken to only apply Agile and DevOps to situations which are suitable for high velocity, highly automated change. Just because an application can scale and change quickly does not mean it would suit an Agile approach. For example, medical applications built on cloud-based services which run life support systems for critical ill patients may not be suitable for high velocity change. Such an application needs highly regulated, controlled and slow velocity change, to ensure no individual change threatens the well-being of the patient.

The IT function must protect services, applications and IT infrastructure that are not suitable for agile development. This means:

  • re-defining the change process, end-to-end, incorporating agility where needed
  • re-defining the scope of the change advisory board (CAB), maybe even removing it from all operational activities
  • modifying the process used to approve change activities
  • changing existing attitudes, behaviours and expectations throughout the organization relating to how change occurs within agile environments
  • updating or redefining the change control process to a value stream perspective.

Delayering and removing siloed work practices, allowing greater collaboration and automating workflows help to create a more agile working environment, which leads to a more agile organization.

2 The CCC conducts research on a continual basis. Research methods include; global surveys, industry analysis, expert panel reviews and pre-and-post classroom surveys. Findings are also published in CCC reports and whitepapers.


Technology is changing at a faster rate than at any other period in history. The fourth industrial revolution is here and is evident all around us, both in our personal lives and at work. New technology is being adopted at a faster rate than ever before. All of this new technology drives innovation, creates new and exciting opportunities while challenging current, successful, business models. The only constant is change.

Changing technology and changing business models are causing the organization to recognize that it also needs to change. Using the latest technologies with work practices from the past will not lead to competitive advantage, nor will not drive innovation.

ITIL 4 provides a level of guidance the organization needs in order to address new service management challenges and utilize the potential of modern technology. Cloud technology can help us provide a better service for the customer, while potentially making savings for the organization. The onus is on us to make the right choices for the right reasons to achieve the right results. Hopefully, this paper can help you understand the choices you have to make.


Axelos Global Best Practice:

Axelos (2019) ITIL Foundation: ITIL 4 edition. The Stationery Office, London.

Cloud Credential Council:

[The CCC conducts research on a continual basis. Research methods include; global surveys, industry analysis, expert panel reviews and pre-and-post classroom surveys. Findings are also published in CCC reports and white papers.]

About the author

Mark O’Loughlin is the Managing Director of the Cloud Credential Council (CCC).

Mark is also the owner and Managing Director of consulting firm, Red Circle Strategies which provides strategic, management and digital advisory, consulting and education services.

Author of two books, Mark has written Professional Cloud Service Manager (PCSM), one of the core certifications provided by the CCC and The Service Catalog published as part of the ITSM Best-Practice library.

Mark is a professional keynote speaker, regularly asked to speak at conferences and events. Mark is a former director at itSMF Ireland and a Fellow of the Irish Computer Society (FICS). Mark holds an MBA and was one of the first people to be globally awarded the ITIL® Master accreditation.

Author mark oloughlin

ITIL 4 and the Cloud White Paper