ITIL 4 Framework (IT Service Management)
The fourth iteration of the IT Infrastructure Library, providing a flexible and integrated operating model for the delivery and operation of tech-enabled products and services.
ITIL 4, released in 2019, represents a significant evolution from ITIL v3's process-centric model to a holistic service management system built around the Service Value System (SVS) and Service Value Chain. The SVS describes how all components and activities of an organization work together to facilitate value co-creation, with the Service Value Chain at its core — a flexible operating model with six activities: Plan, Improve, Engage, Design and Transition, Obtain and Build, and Deliver and Support. ITIL 4 introduces 34 management practices (replacing the 26 v3 processes) organized into General Management, Service Management, and Technical Management categories. The framework explicitly embraces Agile, DevOps, and Lean methodologies, positioning ITIL as a complement to — rather than a competitor of — modern delivery approaches.
Implementing ITIL 4 in a regulated environment requires mapping its practices to compliance evidence requirements. Incident Management practices must produce records that satisfy regulatory incident reporting obligations. Change Enablement practices must integrate with change advisory board (CAB) workflows that produce documented approvals required by SOX IT General Controls, PCI DSS Change Control, or FDA 21 CFR Part 11 audit trail requirements. The Configuration Management practice, when backed by an accurate CMDB, provides the asset inventory evidence base required by multiple compliance frameworks. ITIL 4's emphasis on measurement and reporting means that KPI frameworks must be designed to generate not just operational metrics but compliance-demonstrating indicators.
The transition from ITIL v3 to ITIL 4 is a common source of compliance risk. Organizations that have built SOX ITGC controls documentation around specific v3 process names (Change Management, Release Management) must remap controls to ITIL 4 practice equivalents before auditors flag the discrepancy. ITIL 4's guiding principle of "start where you are" is practically important for regulated organizations — it legitimizes incremental adoption rather than requiring a wholesale process redesign, reducing the operational disruption that can generate control gaps. The ITIL 4 Practice Guides, available as supplementary publications, provide implementation guidance at a granularity that supports compliance control mapping.
We implement ITIL 4 service management practices with compliance control mapping built in from day one, ensuring Incident, Change, and Configuration Management practices generate evidence meeting SOX ITGC, PCI DSS, and HIPAA audit requirements. Our ITIL 4 transitions include a v3-to-v4 control remapping exercise to prevent compliance documentation gaps.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.