SkarpChapter 11 of 14
Key ITIL 4 Practices IV: Information Security, Relationship, and Supplier Management
Look beyond the service desk to the practices that protect information, manage customers, and keep suppliers aligned with business goals.
Big Picture: Where These Practices Fit in ITIL 4
From Practices to Value
In ITIL 4, practices are flexible organizational resources used to co-create value. You have already seen change, release, deployment, and support practices that keep services working.
Three Behind-the-Scenes Practices
This module covers three key practices: information security management, relationship management, and supplier management. They shape how services are trusted and governed.
Value and Risk in the SVS
These practices sit inside the ITIL 4 Service Value System. They help balance value co-creation with risk control by protecting information, aligning stakeholders, and managing suppliers.
Exam Focus
Your goals: state the purpose of each practice, link them to value and risk, and recognize roles and responsibilities in short scenarios, rather than memorizing technical standards.
Information Security Management: Purpose and Key Ideas
Purpose of InfoSec Management
The purpose of the information security management practice is to protect the information needed by the organization to conduct its business.
CIA: Core Security Goals
Three classic goals: confidentiality (no unauthorized access), integrity (accurate and complete), and availability (accessible to authorized users when needed).
Risk-Based Security
Security controls should be proportionate to risk and information value. Not every asset needs the same level of protection; security is built into the value chain.
InfoSec in the SVS
Information security management supports governance, guiding principles, and all service value chain activities, especially design, build, and support.
Information Security in Practice: Short Scenarios
Scenario 1: HR Access Control
HR salary and health data is protected with role-based access, multi-factor authentication, and access logging. This focuses on confidentiality and risk-based controls.
Scenario 2: Avoiding Data Loss
Student support case notes are replicated, backed up nightly, and covered by a disaster recovery plan. These measures protect availability and integrity.
Scenario 3: Secure Changes
Before adding a new payment option, the team runs a security review, tests in non-production, and updates privacy notices. Security is built into change enablement.
Spotting the Practice
In questions mentioning access permissions, encryption, backups, or security reviews, the relevant practice is almost always information security management.
Relationship Management: Purpose and Roles
Purpose of Relationship Management
The purpose of relationship management is to establish and nurture the links between the organization and its stakeholders at strategic and tactical levels.
Customer, User, Sponsor
Customer defines requirements and takes responsibility for outcomes. User uses the service. Sponsor authorizes the budget or funding for the service.
Role Overlaps
One person can be customer and sponsor, or customer and user. For example, a CEO might fund and specify a CRM system, while staff are the users.
Beyond the Service Desk
Service desks handle day-to-day tickets. Relationship management focuses on ongoing communication, expectations, complaints, and overall satisfaction.
Who is the Customer, User, and Sponsor?
Work through these short thought exercises. After each, say out loud (or note down): customer, user, sponsor.
- University learning platform
- A university buys a cloud-based learning management system.
- The IT department signs the contract.
- Students and lecturers use the platform to access course materials.
- The central finance office approves the budget.
Questions:
- Who is mainly the customer?
- Who are the users?
- Who is the sponsor?
Think, then check suggested answers below.
Suggested mapping:
- Customer: The academic department(s) or the university as a whole (they define requirements and are accountable for outcomes).
- Users: Students and lecturers.
- Sponsor: Central finance (or a senior manager) who approved the funding.
- Small business CRM
- A small online shop adopts a simple CRM tool.
- The owner chooses the CRM, pays the monthly subscription, and uses it daily.
- Two sales assistants also use the CRM.
Questions:
- Who is the customer?
- Who is the user?
- Who is the sponsor?
Suggested mapping:
- Customer: The shop owner (defines what is needed and is accountable for outcomes).
- Users: The owner and the sales assistants.
- Sponsor: Also the owner (funds the service).
When you see exam scenarios, practice quickly labeling these three roles before you look at the answer options. It often makes the correct option obvious.
Supplier Management: Purpose and Responsibilities
Purpose of Supplier Management
Supplier management ensures that suppliers and their performance are managed appropriately to support the seamless provision of quality products and services.
Types of Suppliers
Modern services depend on cloud providers, telecoms, software vendors, and outsourced services. These become part of your overall service delivery.
Core Responsibilities
Key tasks: define supplier strategy, manage contracts and SLAs, review performance, and handle supplier-related risks such as over-reliance or poor security.
Links to Other Practices
Supplier management works with information security (security clauses in contracts) and relationship management (strategic communication with key suppliers).
Supplier Risks and How ITIL 4 Handles Them
Risk 1: Single Cloud Provider
If all critical systems run on one cloud in one region, an outage can stop the business. Supplier management explores multi-region, stronger SLAs, and continuity plans.
Risk 2: Weak Supplier Security
A data analytics supplier with unclear security is risky. Supplier management adds security clauses, requires audits, and works with information security management.
Risk 3: Outsourced Help Desk
If an external help desk is slow and roles are unclear, supplier management defines SLAs, reviews performance, and aligns with relationship management.
Spotting Supplier Management
In questions about contracts, vendor SLAs, outsourced services, or supplier performance, the relevant practice is supplier management.
Quick Check: Match Practice to Scenario
Try this question to check your understanding of which practice applies.
A university IT department is negotiating with a new cloud provider. They want to ensure strong uptime commitments, clear security responsibilities, and regular performance reports. Which ITIL 4 practice is MOST directly responsible for managing this ongoing agreement?
- Information security management
- Relationship management
- Supplier management
- Service desk
Show Answer
Answer: C) Supplier management
Supplier management is primarily responsible for managing suppliers and their performance, including contracts, SLAs, and regular reviews. Information security management contributes security requirements, and relationship management may handle broader stakeholder communication, but the ongoing agreement with the cloud provider is mainly within supplier management.
Key Terms Review
Use these flashcards to reinforce the main concepts before you move on.
- Information security management (purpose)
- To protect the information needed by the organization to conduct its business.
- Three core security goals (CIA)
- Confidentiality, Integrity, Availability.
- Relationship management (purpose)
- To establish and nurture the links between the organization and its stakeholders at strategic and tactical levels.
- Supplier management (purpose)
- To ensure that the organization's suppliers and their performance are managed appropriately to support the seamless provision of quality products and services.
- Customer (ITIL 4 role)
- The role that defines requirements for a service and takes responsibility for the outcomes of service consumption.
- User (ITIL 4 role)
- The role that uses services on a day-to-day basis.
- Sponsor (ITIL 4 role)
- The role that authorizes the budget for service consumption.
- Supplier-related risk example
- Over-reliance on a single cloud provider without an exit or continuity plan.
- Difference: relationship management vs service desk
- Relationship management handles ongoing, higher-level stakeholder relationships; the service desk handles day-to-day operational contacts such as incidents and requests.
Key Terms
- User
- Role that uses services on a day-to-day basis.
- Sponsor
- Role that authorizes the budget for service consumption.
- Customer
- Role that defines requirements for a service and takes responsibility for the outcomes of service consumption.
- CIA triad
- A model of three core information security goals: Confidentiality, Integrity, and Availability.
- Service value chain
- Central element of the SVS, a set of interconnected activities that an organization performs to deliver a valuable product or service.
- Supplier management
- ITIL 4 practice that ensures suppliers and their performance are managed appropriately to support seamless delivery of quality products and services.
- Underpinning contract
- A contract between a service provider and an external supplier that supports the delivery of services to a customer.
- Relationship management
- ITIL 4 practice that establishes and nurtures links between the organization and its stakeholders at strategic and tactical levels.
- Service Value System (SVS)
- ITIL 4 model describing how all components and activities of an organization work together to enable value creation.
- Service Level Agreement (SLA)
- A documented agreement between a service provider and a customer that identifies both services required and expected performance levels.
- Information security management
- ITIL 4 practice whose purpose is to protect the information needed by the organization to conduct its business, focusing on confidentiality, integrity, and availability.