The ITSM Practice: Elevating ITSM and IT Security Knowledge

In this episode of the ITSM Practice Podcast, Luigi Ferri challenges the illusion of security frameworks and compliance culture. Exploring the Secure Controls Framework (SCF), ISO, NIST and ITIL 5, he exposes governance immaturity, framework sprawl and risk misalignment. A sharp reflection on cybersecurity governance, enterprise risk management and why compliance without thinking weakens leadership.

In this episode, we answer to:
Is compliance replacing real risk-based security governance?
Why do organizations accumulate ISO, NIST and SCF instead of clarifying risk ownership?
How does ITIL 5 transform control frameworks into accountable governance?

Resources Mentioned in this Episode:
Compliance Forge website, article "The Secure Controls Framework (SCF) Is The Common Controls Framework (CCF)", link https://complianceforge.com/scf/what-is-the-scf/

Secure Controls Framework website, article "The SCF Makes Compliance A Natural Byproduct of Secure Practices", link https://securecontrolsframework.com/what-is-the-scf/

Secure Controls Framework on GitHub, article "The Secure Controls Framework (SCF) is a meta-framework (framework of frameworks) that maps to over 100 cybersecurity and privacy-related laws, regulations and industry frameworks", link https://github.com/securecontrolsframework/securecontrolsframework

Secure Controls Framework website, article "Security, Compliance & Resilience (SCR) Principles", link https://securecontrolsframework.com/domains-principles/

Secure Controls Framework website, article "Secure, Compliant & Resilient Capability Maturity Model (SCR-CMM)", link https://securecontrolsframework.com/free/capability-maturity-model/

Connect with me on:
LinkedIn: https://www.linkedin.com/in/theitsmpractice/
Website: http://www.theitsmpractice.com
And if you want more tips and guidance, follow me on LinkedIn. I am sharing daily posts regarding Enterprise Service Management, IT Service Management, and IT Security.

Credits:
Sound engineering by Alan Southgate - http://alsouthgate.co.uk/

Graphics by Yulia Kolodyazhnaya

ITIL 5 marks a decisive shift in IT Service Management. Moving beyond ITIL 4, it reframes services as AI-enabled digital product–service systems governed through data-driven decision models. This episode explores governance, accountability, CIO and CISO implications, and why ITIL 5 transforms service management into system leadership in an AI-native world.

In this episode, we answer to:
How does ITIL 5 redefine IT Service Management in an AI-native environment?
What changes from ITIL 4 to ITIL 5 in governance, digital products, and value streams?
What does ITIL 5 mean for CIOs and CISOs managing AI-driven digital services?

Resources Mentioned in this Episode:
ITIL Training Academy website, article "ITIL® (Version 5): Everything New in ITIL Latest Version", link https://www.itil.org.uk/blog/itil-version-5-a-complete-guide

ServiceNow website, article "Understanding ITIL 5: What’s New and How It Builds on ITIL 4", link https://www.servicenow.com/community/virtual-agent-forum/understanding-itil-5-what-s-new-and-how-it-builds-on-itil-4/m-p/3478594

Novelvista website, article "ITIL 4 vs ITIL (Version 5): What’s New, Changed, and Refined?", link https://www.novelvista.com/blogs/it-service-management/itil4-vs-itil5

PeopleCert website, article "ITIL Foundation (Version 5)", link https://www.peoplecert.org/browse-certifications/it-governance-and-service-management/ITIL-1/itil-5-foundation-version-50-4154

Tarun Dewat, LinkedIn post "ITIL 5 has officially arrived, and it’s one of the most transformative updates the IT service management world has seen in years", link https://www.linkedin.com/posts/tarun-dewat-699818222_itil-5-has-officially-arrived-and-its-one-activity-7422705091654275073-6AxT

ageeogee user on Reddit, post "Will ITIL 5 look more like 3 or 4?", link https://www.reddit.com/r/ITIL/comments/1l4bak8/will_itil_5_look_more_like_3_or_4/

Connect with me on:
LinkedIn: https://www.linkedin.com/in/theitsmpractice/
Website: http://www.theitsmpractice.com
And if you want more tips and guidance, follow me on LinkedIn. I am sharing daily posts regarding Enterprise Service Management, IT Service Management, and IT Security.

Credits:
Sound engineering by Alan Southgate - http://alsouthgate.co.uk/

Graphics by Yulia Kolodyazhnaya

In this episode of The ITSM Practice Podcast, Luigi Ferri explains why IT maturity is the decisive factor in successful IT carve-outs. From dependency mapping to ITIL v3 governance and continuity stress testing, the episode shows how disciplined IT Service Management prevents disruption, cost overruns, and failed separations during complex enterprise transitions.

In this episode, we answer to:
Where is the real boundary between what IT owns and what a carved-out unit must take?
What breaks first when a shared IT service disappears during a carve-out?
Why does IT governance need to come before architecture and migration design?

Resources Mentioned in this Episode:
AvenDATA website, article "What is a carve-out and why is it important?", link https://avendata.com/blog/what-is-a-carve-out-and-why-does-it-matter

Umbrex website, article "Stakeholder Alignment and Governance", https://umbrex.com/resources/carve-out-playbook/stakeholder-alignment-and-governance/

Invgate website, article "The most flexible no-code ITSM solution", link https://invgate.com/itsm/itil/itil-service-lifecycle

Rezolve AI website, article "ITIL v3: Framework & Best Practices", link https://www.rezolve.ai/blog/itil-v3-framework-best-practices

Alloy Software website, article "5 Stages of the ITIL Service Lifecycle: A Simple Guide to Better IT Service Management", link https://www.alloysoftware.com/blog/itil-lifecycle/

Eurostep website, article "Data carve-out best practices: Insights into streamlining data separation for business units", link https://www.eurostep.com/data-carve-out-best-practices-insights-into-streamlining-data-separation-for-business-units/

Connect with me on:
LinkedIn: https://www.linkedin.com/in/theitsmpractice/
Website: http://www.theitsmpractice.com
And if you want more tips and guidance, follow me on LinkedIn. I am sharing daily posts regarding Enterprise Service Management, IT Service Management, and IT Security.

Credits:
Sound engineering by Alan Southgate - http://alsouthgate.co.uk/

Graphics by Yulia Kolodyazhnaya

HITRUST certification is not a shortcut to trust. In this episode of The ITSM Practice Podcast, Luigi Ferri explains why real success with HITRUST depends on operational maturity, disciplined processes, and ITIL 4 practices. Learn how process consistency, evidence, and repeatability are the true foundations of sustainable compliance and security.

In this episode, we answer to:
Why do many mid-size organizations fail HITRUST despite strong technical controls?
How do ITIL 4 practices enable sustainable HITRUST certification?
Which process maturity gaps block HITRUST readiness the most?

Resources Mentioned in this Episode:
HITRUST Alliance website, article "HITRUST CSF Framework overview", link https://hitrustalliance.net/hitrust-framework

HITRUST Alliance website, article "HITRUST CSF Control Maturity Evaluation Guide", link https://hitrustalliance.net/hubfs/Download%20Center%20%2B%20Partner%20Content/Evaluating-Control-Maturity-Using-the-HITRUST-Approach.pdf

Schneider Downs website, article "Complete Guide to HITRUST Certification", link https://schneiderdowns.com/guide-to-hitrust-certification/

Tevora website, article "HITRUST Certification Top Strategies for Effective Evidence Collection", link https://www.tevora.com/resource/hitrust-certification-top-strategies-for-effective-evidence-collection/

Connect with me on:
LinkedIn: https://www.linkedin.com/in/theitsmpractice/
Website: http://www.theitsmpractice.com
And if you want more tips and guidance, follow me on LinkedIn. I am sharing daily posts regarding Enterprise Service Management, IT Service Management, and IT Security.

Credits:
Sound engineering by Alan Southgate - http://alsouthgate.co.uk/

Graphics by Yulia Kolodyazhnaya

In this episode of The ITSM Practice Podcast, we explore what FISMA really means for midsize, cloud-native security teams. Using real-world scenarios, we explain why FISMA was built for federal systems, where it clashes with cloud responsibility models, and how a risk-based adoption strengthens governance without falling into compliance theatre.

In this episode, we answer to:
Do FISMA controls apply to cloud-native and SaaS-based environments?
How can midsize companies use FISMA without full federal-style compliance?
Why is risk-based adoption more effective than checklist compliance in the cloud?

Resources Mentioned in this Episode:
CISA website, Federal Information Security Modernization Act page, link https://www.cisa.gov/topics/cyber-threats-and-advisories/federal-information-security-modernization-act

NIST website, NIST Special Publication 800-53, link https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

Secureframe website, article "FISMA Compliance: What It Is and How to Achieve It", link https://secureframe.com/hub/nist-800-53/fisma-compliance

Security Compass website, article "ISO 27001 vs NIST 800-53", link https://www.securitycompass.com/blog/iso-27001-vs-nist-800-53/

Connect with me on:
LinkedIn: https://www.linkedin.com/in/theitsmpractice/
Website: http://www.theitsmpractice.com
And if you want more tips and guidance, follow me on LinkedIn. I am sharing daily posts regarding Enterprise Service Management, IT Service Management, and IT Security.

Credits:
Sound engineering by Alan Southgate - http://alsouthgate.co.uk/

Graphics by Yulia Kolodyazhnaya