Introduction
I first wrote the Practical ITAM framework around 2015, in answer to questions from practitioners about how to get started and make a difference in IT asset management. Many of those same professionals now manage teams, and the job has only grown harder. Cloud was meant to simplify things; instead, with SaaS and AI now in the mix, IT estates are more complex than ever, and IT no longer just supports organisations, it runs them.
So I want to introduce a new framework, the IT Asset Governance Framework, built on everything I learned developing Practical ITAM and taking thousands of practitioners through it. Three things make it different.
1) It deals in definitive outcomes, not woolly descriptions.
Best-practice models are often abstract. Here, every component is a specific thing to achieve: a binary outcome you have either done or you have not. And you can predict and measure the business value of doing it. The framework is built of 25 such outcomes.
2) It is built on the international standard, with one deliberate addition.
Twenty-four of the 25 are drawn directly from ISO/IEC 19770-1. The twenty-fifth is new, and to my mind the most important: managing the value of IT asset management itself. Most frameworks leave that value implicit. Here it sits at the centre, a thing to be planned, measured and grown like any other.
The function then runs on two loops side by side: a governance loop, where leadership reviews progress and authorises change, and a value loop, where the team plans, pursues and proves the value delivered. Most management systems give you the first loop. The value loop is what this framework adds. Combined with a strong communications plan, it is what earns IT asset management a seat at the table, and keeps it there.
Sustaining the exchange between the two loops is how IT asset management keeps its seat at the table.
3) It is modular, because organisations want different things.
One chasing cost control needs different components than one facing a regulatory audit. So the framework is built to be customised around the summit an organisation chooses to climb. Every climb is different, but everyone routes through the same Basecamp: trustworthy data. Each summit is a defined subset of the 25 things; full ISO conformance is not a summit in itself, but the sum of climbing them all.
Objectives
What the framework sets out to achieve.
- Make improvement measurable. Progress is concrete and provable, never a subjective maturity score.
- Help the function earn its place by proving its value. Business value comes first, so IT asset management can justify itself and win the backing it needs.
- Meet the organisation where it is, and let it choose its route. Usable from the first steps to certification; the organisation picks the destination that fits its needs, with full ISO conformance one option rather than the mandatory end.
Guiding principles
What the framework stands for.
- Value first. The framework leads with business value at every step. ISO conformance proves you have done it well; it is never the point of the exercise.
- Tangible outcomes. Everything is a thing an organisation either has or does not have, never a vague competency or maturity score.
- Built on the standards. Constructed from the ground up on ISO/IEC 19770-1 and ISO/IEC TS 19770-10.
- Every step pays its way. Each thing comes with the business value it delivers and a way to measure it, backed by real industry examples.
- Plain language. Described in terms anyone in the business can follow, free of jargon and filler.
The model
The framework is a register of 25 tangible things, grouped into three tiers: Leadership (direction and enablement), Operations (the machinery), and Assurance (oversight and improvement). Each thing maps to a clause of ISO/IEC 19770-1, with one exception: value management, which is new.
The register of 25 things
Leadership – direction and enablement
| # | Thing | Descriptor | ISO |
|---|---|---|---|
| 1 | Business plan | A signed plan that sets the scope and objectives for IT asset management, each tied to a business goal. | 4.1, 4.3, 6.2 |
| 2 | Sponsor & mandate | A named senior owner who has formally authorised the function and backs it. | 5.1 |
| 3 | Policy | An approved statement of what the organisation requires and permits for IT assets. | 5.2 |
| 4 | Roles & authorities | A documented allocation of who is responsible for each activity and who can authorise spend. | 5.3 |
| 5 | Stakeholder register | A record of who IT asset management serves and depends on, and what each needs. | 4.2 |
| 6 | Risk & opportunity register | A maintained list of risks and savings opportunities, each with an owner and a response. | 6.1 |
| 7 | Resource & budget | An agreed allocation of people and money sufficient to deliver the plan. | 7.1 |
| 8 | Communications plan | A plan for what is communicated, to whom and how. | 7.3, 7.4 |
| 9 | Competence & training | A record of the competence each role needs versus holds, with the training that closes the gap. | 7.2 |
| 10 | Value management | A value plan stating the business value the function will deliver, reviewed regularly against what is actually delivered. | New |
Operations – the machinery
| # | Thing | Descriptor | ISO |
|---|---|---|---|
| 11 | ITAM tools | The platform(s) used to collect and hold asset data and run the processes. | 7.1 |
| 12 | Data management plan | A definition of the data needed: which attributes, from which sources, to what quality, and how it is maintained. | 7.5 |
| 13 | Asset register & discovery | A maintained record of the in-scope assets, fed by automated discovery and kept accurate to an agreed tolerance. | 8.2 |
| 14 | Request process | A defined route for acquiring assets that offers preferred options and captures data at the point of request. | 8.1, 8.2 |
| 15 | Change & lifecycle integration | A link into the organisation’s change processes so the asset record stays accurate as IT assets move through their lifecycle. | 8.2 |
| 16 | Reclamation & end-of-life | The processes that recover unused assets and dispose of retired ones responsibly and within the rules. | 8.2 |
| 17 | Renewals calendar | A forward record of contract, maintenance and subscription dates so renewals are managed before notice deadlines. | 8.2 |
| 18 | Entitlement & usage position | A reconciled view, for key vendors, of what you are entitled to or have paid for versus what you are actually using. | 8.2 |
| 19 | Outsourcing & services control | A defined account of which activities and services are run by third parties, and the controls over them. | 8.3 |
| 20 | Documentation | A version-controlled record of the core documents and of what was decided and why, so the current position and its reasoning are always known. | 7.6 |
Assurance – oversight and improvement
| # | Thing | Descriptor | ISO |
|---|---|---|---|
| 21 | Review meeting | A regular, minuted meeting at which decision-makers review performance and authorise changes. | 5.1, 9.3 |
| 22 | KPI / metrics pack | An agreed set of measures, reported on a cadence, showing performance and value. | 9.1 |
| 23 | Internal audit | A planned check that controls are in place and working, with findings logged. | 9.2 |
| 24 | Corrective action log | A record of issues and the actions taken to fix them and prevent recurrence. | 10.1 |
| 25 | Continual improvement & benefit log | A record of the improvements made and the value realised. | 10.2 |
Choosing your summit
No organisation needs all 25 things at once. Everyone starts at Basecamp, the trustworthy-data foundation every climb depends on. From there, an organisation focuses on the summit that matches the pressure it is under, each summit being a defined subset of the 25 things to prioritise next.
Here are two worked examples, set side by side so they can be compared.
| Cost control | Risk and security | |
|---|---|---|
| For | An organisation under pressure to cut and control spend. | An organisation focused on closing security exposure. |
| Priorities (with Basecamp) | Value management, request process, reclamation, renewals calendar, entitlement and usage position. | Risk register, change integration, retiring unsupported assets, control of outsourced services. |
| Why these | Find waste, stop it before it is committed, harvest what you already own, and expose where you pay for more than you use. | Surface what you hold, keep the picture current as things change, remove unsupported attack surface, and close third-party gaps. |
| Deferred | The assurance loop and the security controls; the wider leadership work. | The cost levers and the audit and compliance work; the wider leadership work. |
The same 25 things are shown for each example below, with that summit’s priorities highlighted and the rest faded.
Example: cost control
Example: risk and security
These two are only examples. Choosing a summit is about reaching value quickly, focusing first on the things that matter most to the pressure you are under. It is not a final destination. Other summits are defined the same way, among them Operational Efficiency, Sustainable IT, and Audit and Compliance Defensible, and an organisation can shape its own around a need we have not named here.
Summary
The IT Asset Governance Framework turns IT asset management into 25 tangible things, each one you either have or you do not, grouped into Leadership, Operations and Assurance. Twenty-four are drawn from ISO/IEC 19770-1; the twenty-fifth, managing value, is the addition that keeps the function earning its place. Organisations start at Basecamp and climb the summit that fits the pressure they are under, reaching full ISO conformance only if and when they choose to.
This framework will become a reference book and will direct LISA’s training curriculum. It is published here in draft, and I welcome feedback from across the ITAM community to sharpen it.
