IT lifecycle management assessment framework

Departures from the assessment framework and the absence of control measures are weaknesses that can lead to ‘shortcomings’ as we refer to them or ‘serious shortcomings’ respectively. Classification is determined in part by:

• the duration of the shortcoming (9 months or longer),
• the financial implications,
• how seriously the shortcoming disrupted the ministry’s operational management.

General standards and further details

IT lifecycle management is a continuous, iterative process of understanding, planning (maintenance, management and updating), implementing the plans and monitoring their impact, and amendment where necessary.

IT lifecycle management consists of 5 steps that together mitigate the risks of IT landscapes becoming outdated and endangering the continuity of the tasks and processes supported by a ministry’s IT systems.

Effective and systematic maintenance keeps the IT systems operational. Maintenance underpins the continuity of public services. Timely maintenance reduces the risk that IT systems will fail and disrupt the services delivered to citizens and businesses. IT lifecycle management also reduces the risk of IT systems not being responsive enough to implement policy changes in a timely manner.

A ministry’s Chief Information Officer (CIO) is tasked with ‘developing and coordinating IT lifecycle management in the entire ministry’. The CIO ensures that the IT systems of the ministry as a whole are effectively and systematically maintained. This responsibility is laid down in the Civil Service CIO System Decree 2021.

Laws and regulations

General IT lifecycle management standards for the ministries’ IT landscapes are based on laws and regulations. The Government Accounts Act 2016, for instance, states that regularity, orderliness and auditability standards also apply to IT. The standards applying to government IT lifecycle management processes and responsibilities are worked out in further detail in decrees issued by the Minister of the Interior and Kingdom Relations. The Netherlands Court of Audit has also issued standards in ‘Essentials of good governance’ (December 2005) and includes standards in its publications on the Regularity Audit.

Regulations and instructions for the civil service, and ministerial decrees:

• Civil Service Organisation and Operational Management and Information Systems (Coordination) Decree 2011
• Civil Service CIO System Decree 2021.

Besides these decrees, the following policy rules apply:

• Responsible Updating Guidance, Central Government CIO, April 2021.

Furthermore, the audit standards framework for IT lifecycle management is based on relevant standards and best practices of the internationally accepted COBIT, ITIL and ASL frameworks. These standards and best practices have been adapted to meet the circumstances of central government. The standards framework is made up of the 5 steps in the lifecycle management process, insight into the IT landscape and Deming’s PDCA cycle (Plan, Do, Check Act).

Control measures

We assess the quality of IT lifecycle management by examining the following 10 generic control measures in the 5 steps of IT lifecycle management.

Step 1: Centralised insight into existing IT landscape

1. There is an insight into the existing IT landscape and associated risks.

Lifecycle management is founded on a ministry’s insight into its IT landscape as a whole, and especially into the applications that support the primary process. The landscape includes connections and interfaces, dependencies, end users and suppliers. There must also be an insight into the risks associated with the application landscape, such as overreliance on third parties.

2. There is an insight into the status of applications (including lifecycle stage) and associated risks. 

To structure IT lifecycle management and manage risks to the continuity of the primary process, the risks must be known. There must therefore be an insight into the status of each application, its technical condition, business value and consequent expected life and stage in the lifecycle (active, outdated, phase out). Technical condition relates to the programming language, the platform on which an application runs, available documentation, etc. Business value is an indication of an application’s importance to the primary process. Information on applications must be documented in a structured and uniform manner over several years.

3. The ministry has an insight into the financial implications of the applications and of the IT landscape as a whole

To organise IT lifecycle management and prepare a maintenance plan, insight is needed into the applications’ financial implications, such as management and maintenance costs per application, including multiyear projections in terms of time, people and resources, and depreciation.

Step 2: Continuity planning for the application landscape

4. The ministry has an information plan describing the IT strategy and objectives; the plan is consistent with the ministry’s vision, strategy and policy goals.

The IT must be able to implement and support the ministry’s policies. The IT vision, strategy and goals must therefore match the ministry’s vision, strategy and policy goals. The match must be visible in an information plan and in the plans on IT continuity and effectiveness. To prepare the information plan, an insight is needed into the ministry’s policy goals and the involvement of the business. The plan should incorporate lessons learned and earlier recommendations. The ministry’s CIO is responsible for preparing and maintaining the information plan.

5. There is an overarching maintenance plan for the applications that support the ministry’s primary process.

To ensure the continuity of the application landscape’s support for the organisation’s primary process, applications must be maintained and updated, taking account of identified risks. An overarching maintenance plan must therefore be drawn up, describing how application risks will be managed throughout the lifecycle. The maintenance plan must set out how the applications will remain responsive to support a range of policy decisions.

6. There are specific plans for high-risk components in the application landscape.

Based on the insight into the status, importance and quality of the applications and the associated risk of disruptions to the primary process, plans must be prepared specifically to ensure that high-risk applications in the primary process are and remain robust.

Step 3: Implementation of management and maintenance

Responsibility for this step lies with the line/executive organisation.

Step 4: Monitor results and make improvements

7. Results are monitored and the ministry’s CIO has an insight into progress.

It must be known whether overarching and specific maintenance plans that are implemented, make the applications more robust and improve management of identified risks. Progress must therefore be known and results monitored in relation to the goals. The organisation must be aware of the benefits realised.

8. Implemented plans lead to IT and/or business improvements.

Improvements must be related to the goals, formulated in SMART terms and be demonstrable, for example: 
a. better continuity and availability, e.g. less disruption,
b. lower management and maintenance costs,
c. greater adaptability, IT flexibility,
d. less need for scarce specialists,
e. higher security level,
f. improved data quality.

Step 5: Evaluation and control and modification of the approach

9. An evaluation and control process is followed

The IT lifecycle management process at the ministries must also be evaluated in order to validate and improve the process. Besides internal evaluations, an organisational unit or independent body can check and evaluate the process. Independent assessment can be periodically repeated if necessary. External recommendations and advisory reports are included in the evaluation where available.

10. IT lifecycle management is amended if there is cause to do so

If monitored results or internal/external evaluations and studies give cause, the approach is amended based on practicable management information. Overarching and specific plans are revised to reflect new insights. The organisation identifies weaknesses and learns to manage risks better, and strengthens its control of the application landscape.