The ITSM Practice: Elevating ITSM and IT Security Knowledge

Episodi

• Identity Is the New Perimeter 02.06.2026 10min

  AI is changing cybersecurity faster than most organizations can govern it. In this episode of The ITSM Practice Podcast, Luigi Ferri explores why identity has become the true enterprise perimeter. As organizations race to deploy Agentic AI, autonomous agents, cloud platforms, and APIs, many are building on identity governance models that were never designed for machine-scale decision-making. From Zero Trust Architecture and Identity & Access Management (IAM) to the lessons behind major breaches at MGM, Snowflake, and Uber, this episode examines a critical question: If enterprises struggled to govern human identities, how will they govern autonomous AI identities? Discover why AI governance without identity governance is impossible, why identity is evolving into the operational control plane of digital business, and what CIOs and CISOs must do before AI adoption outpaces organizational control.In this episode, we answer:Why is identity becoming the new perimeter in the age of AI?What risks emerge when autonomous agents operate without strong identity governance?How can organizations redesign trust before AI scales faster than governance?Resources Mentioned in this Episode: NIST website, Zero Trust Architecture (SP 800-207), link https://csrc.nist.gov/pubs/sp/800/207/final?NIST website, AI Risk Management Framework, link https://www.nist.gov/itl/ai-risk-management-frameworkEuropean Commission website, EU AI Act, link https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-aiDark Reading website, article "Okta Agent Involved in MGM Resorts Breach, Attackers Claim", link https://www.darkreading.com/application-security/okta-flaw-involved-mgm-resorts-breach-attackers-claimCyberark website, article "The MGM Resorts Attack: Initial Analysis", link https://www.cyberark.com/resources/blog/the-mgm-resorts-attack-initial-analysisBlackfog website, article "Showflake Data Breach Explained", link https://www.blackfog.com/snowflake-data-breach-explained-key-lessons/Cloud Security Alliance website, article "Unpacking the 2024 Snowflake Data Breach", link https://cloudsecurityalliance.org/blog/2025/05/07/unpacking-the-2024-snowflake-data-breachUSA CISA website, article "Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester", link https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a?USA CISA website, advisory on MFA fatigue and modern identity attacks, link https://www.cisa.gov/news-events/alerts/2022/10/31/cisa-releases-guidance-phishing-resistant-and-numbers-matching-multifactor-authenticationConnect with me on:LinkedIn: https://www.linkedin.com/in/theitsmpractice/Website: http://www.theitsmpractice.comAnd if you want more tips and guidance, follow me on LinkedIn. I am sharing daily posts regarding Enterprise Service Management, IT Service Management, and IT Security.Credits:Sound engineering by Alan Southgate - http://alsouthgate.co.uk/Graphics by Yulia Kolodyazhnaya
• FINMA and ITIL 4: Building Resilient Swiss Banks 26.05.2026 9min

  FINMA Circular 2023/1 is transforming operational resilience from a compliance exercise into a strategic leadership priority for Swiss banks. In this episode, Luigi Ferri explains why ITIL 4 is far more than ITSM, it is a powerful enterprise operating model that connects governance, cybersecurity, risk management, supplier coordination, and business continuity to build truly resilient financial institutions.In this episode, we answer to:Why is operational resilience becoming the new license to operate for banks?How does ITIL 4 support FINMA resilience and cybersecurity requirements?What organizational silos are preventing true enterprise resilience?Resources Mentioned in this Episode: Finma website, Circular 2023/1 Operational risks and resilience for banks, link https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2023-01-20221207.pdfFinma website, article "FINMA publishes Circular “Operational risks and resilience – banks”, link https://www.finma.ch/en/news/2022/12/20221213-mm-anh-rs-op-risks/KPMG website, article "FINMA Circular 2023/1", link https://assets.kpmg.com/content/dam/kpmgsites/ch/pdf/finma-circular-2023.pdf.coredownload.inline.pdf InfoGuard website, article "FINMA Circular 2023/1 Checklist - Ready for a regulatory audit?", link https://www.infoguard.ch/hubfs/images/blog/24/InfoGuard-FINMA-Checkliste_EN.pdf Manage Engine website, article "The ITIL 4 Service Value System", link https://www.manageengine.com/products/service-desk/itsm/itil-4-service-value-system.html Connect with me on:LinkedIn: https://www.linkedin.com/in/theitsmpractice/Website: http://www.theitsmpractice.comAnd if you want more tips and guidance, follow me on LinkedIn. I am sharing daily posts regarding Enterprise Service Management, IT Service Management, and IT Security.Credits:Sound engineering by Alan Southgate - http://alsouthgate.co.uk/Graphics by Yulia Kolodyazhnaya
• Broken Transmission: Why Fintech Strategy Fails 19.05.2026 6min

  Broken Transmission: Why Agile Fintechs Miss Strategy | In this episode of The ITSM Practice Podcast, Luigi Ferri explains why fintech strategy execution fails despite Agile delivery, strong squads, and constant releases. Learn how fragmented ownership, poor prioritization, and disconnected KPIs create operational misalignment, reducing business outcomes and authorization rate performance.In this episode, we answer to:Why do Agile fintech teams fail to execute business strategy effectively?How does fragmented ownership impact authorization rate improvement initiatives?Why do operational priorities override strategic portfolio management in fintech organizations?Resources Mentioned in this Episode:Project Management Institute, whitepaper "The High Cost of Low Performance 2014", link https://www.pmi.org/-/media/pmi/documents/public/pdf/learning/thought-leadership/pulse/pulse-of-the-profession-2014.pdf University of Salford - Manchester, Abdallah M. Salameh, document "A Heterogeneous Approach to Agile Tailoring", link https://salford-repository.worktribe.com/OutputFile/1487893 Institute of Project Management website, article "The Emerging Importance of Benefits Realisation", link https://projectmanagement.ie/blog/the-emerging-importance-of-benefits-realisation/ McKinsey & Company website, article "Don’t cancel or coddle at-risk capital projects—challenge them", link https://www.mckinsey.com/capabilities/operations/our-insights/dont-cancel-or-coddle-at-risk-capital-projects-challenge-them Connect with me on:LinkedIn: https://www.linkedin.com/in/theitsmpractice/Website: http://www.theitsmpractice.comAnd if you want more tips and guidance, follow me on LinkedIn. I am sharing daily posts regarding Enterprise Service Management, IT Service Management, and IT Security.Credits:Sound engineering by Alan Southgate - http://alsouthgate.co.uk/Graphics by Yulia Kolodyazhnaya
• FINOS vs ISO 42001: What to Choose 12.05.2026 8min

  Fintech leaders: stop defaulting to ISO 42001. Discover how FINOS empowers you to design scalable, audit-ready AI governance before regulation forces your hand. Learn to align controls, reduce risk, and build governance by design—not by pressure.In this episode, we answer to:What makes FINOS a powerful alternative to ISO 42001?How can fintechs design governance before audits hit?Why does governance fail without alignment?Resources Mentioned in this Episode:FINOS website, article "AI Strategic initiative series: Building an AI Governance Framework - Key Takeaways from the NYC Workshop", link https://www.finos.org/blog/building-an-ai-governance-framework-key-takeaways-from-the-nyc-workshop FINOS website, article "FINOS AI Governance Framework v1.0 — Turning Drafts into Deployable Guardrails", link https://www.finos.org/blog/finos-ai-governance-framework-v1.0-turning-drafts-into-deployable-guardrails Air Governance website, article "A heuristic approach to identifying GenAI risks", link https://air-governance-framework.finos.org/heuristic-assessment.html Air Governance website, article "FINOS AI Governance Framework", link https://air-governance-framework.finos.org GitHub website, repo "finos/ai-governance-framework - Public", link https://github.com/finos/ai-governance-framework Connect with me on:LinkedIn: https://www.linkedin.com/in/theitsmpractice/Website: http://www.theitsmpractice.comAnd if you want more tips and guidance, follow me on LinkedIn. I am sharing daily posts regarding Enterprise Service Management, IT Service Management, and IT Security.Credits:Sound engineering by Alan Southgate - http://alsouthgate.co.uk/Graphics by Yulia Kolodyazhnaya
• Who Owns Cloud Security? 05.05.2026 9min

  A single question can expose a major cloud risk: who is responsible? This episode breaks down the cloud shared responsibility model, revealing how unclear ownership, misconfigurations, and weak governance lead to data breaches, and how ISO/IEC 27017 helps close the gaps.In this episode, we answer to:Who is really accountable for cloud security failures?Why do misconfigurations cause most cloud data breaches?How does ISO/IEC 27017 strengthen cloud security governance?Resources Mentioned in this Episode:ISO Standards website, standard ISO/IEC 27017:2015, link https://www.iso.org/standard/43757.htmlVanta website, article "The ultimate guide to ISO 27017", link https://www.vanta.com/collection/iso-27001/guide-to-iso-27017Microsoft website, article "ISO/IEC 27017:2015", link https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-iso-27017 Safeshield website, article "Why should SaaS companies comply with the ISO/IEC 27017 security standard for cloud service providers (CSP)", link https://www.safeshield.cloud/why-should-saas-companies-comply-with-the-iso-27017-security-standard-for-cloud-service-providers-csp NordLayer website, article "ISO 27017: cloud protection essentials", link https://nordlayer.com/learn/iso/iso-27017/ Connect with me on:LinkedIn: https://www.linkedin.com/in/theitsmpractice/Website: http://www.theitsmpractice.comAnd if you want more tips and guidance, follow me on LinkedIn. I am sharing daily posts regarding Enterprise Service Management, IT Service Management, and IT Security.Credits:Sound engineering by Alan Southgate - http://alsouthgate.co.uk/Graphics by Yulia Kolodyazhnaya
• CISO Strategy: Where Product Security Fails at Scale 28.04.2026 7min

  Most organisations manage only build and operate, ignoring growth, where security risk explodes. Luigi Ferri reveals how CISOs miss the most critical phase, where scaling, DevOps, and rapid decisions create hidden security debt. This episode challenges leaders to shift from reactive controls to full product lifecycle governance before risk turns into incidents.In this episode, we answer to:Why is product growth the most dangerous phase for cybersecurity risk?Are CISOs governing product lifecycle or just reacting to failures?How does DevOps accelerate delivery but weaken security accountability?Resources Mentioned in this Episode:Advisera website, article "ISO 27001 control 8.25 Secure development life cycle", link https://advisera.com/iso27001/control-8-25-secure-development-life-cycle/ Ikarus website, article "Security by Design", link https://www.ikarussecurity.com/en/security-news-en/security-by-design-cybersecurity-throughout-the-product-life-cycle/ Netguru website, article "SaaS Development Life Cycle: Key Stages & Best Practices", link https://www.netguru.com/blog/saas-development-life-cycle DevOps by Techstrong Group website, article "DevSecOps: Integrating Security Into the DevOps Lifecycle", link https://devops.com/devsecops-integrating-security-into-the-devops-lifecycle/ Connect with me on:LinkedIn: https://www.linkedin.com/in/theitsmpractice/Website: http://www.theitsmpractice.comAnd if you want more tips and guidance, follow me on LinkedIn. I am sharing daily posts regarding Enterprise Service Management, IT Service Management, and IT Security.Credits:Sound engineering by Alan Southgate - http://alsouthgate.co.uk/Graphics by Yulia Kolodyazhnaya
• ITIL 5 Exposed: Accountability Without Authority 21.04.2026 8min

  ITIL 5 exposes a critical ITSM flaw: Service Owners held accountable without authority. Discover how broken governance, security vs delivery conflicts, and unclear decision rights undermine outcomes. Learn why real accountability starts before operations, and how to redesign Enterprise Service Management for true leadership.In this episode, we answer to:Why are Service Owners accountable but not empowered in ITIL 5?How does the security vs delivery tension reveal weak ITSM governance?Resources Mentioned in this Episode:PeopleCert website, article "Understanding the evolution of ITIL", link https://www.peoplecert.org/news-and-announcements/itil-version-5-explained Learning Tree International website, article "ITIL® (Version 5) Has Arrived", link https://www.learningtree.com/blog/itil-5-launch-what-you-need-to-know/ Agile PM Hub website, article "ITIL® 5 Is Here: What’s New and Why It Matters", link https://agilepmhub.com/blog/itil-version-5-whats-new-and-why-it-matters Connect with me on:LinkedIn: https://www.linkedin.com/in/theitsmpractice/Website: http://www.theitsmpractice.comAnd if you want more tips and guidance, follow me on LinkedIn. I am sharing daily posts regarding Enterprise Service Management, IT Service Management, and IT Security.Credits:Sound engineering by Alan Southgate - http://alsouthgate.co.uk/Graphics by Yulia Kolodyazhnaya
• PSD3 Explained: Payments Security & Fraud 14.04.2026 8min

  PSD3 is reshaping payments security, moving beyond PSD2’s access model to address fraud, scams and trust abuse. This episode explains why strong authentication is no longer enough, how APIs become critical to trust, and what banks and fintechs must change to stay secure, compliant and resilient.In this episode, we answer to:What makes PSD3 fundamentally different from PSD2 in payments security?Is strong customer authentication enough to stop modern fraud?How do APIs influence trust, performance and security under PSD3?Resources Mentioned in this Episode: Stripe website, article "What platforms and marketplaces can expect from PSD3", link https://stripe.com/guides/what-platforms-and-marketplaces-can-expect-from-psd3 Trustbuilder website, article "From PSD2 to PSD3: What’s Changing in the Future of Payments in Europe", link https://www.trustbuilder.com/en/psd2-psd3-directive-future-payments-europe/ Deloitte website, article "Shedding light on PSD3/PSR", link https://www.deloitte.com/lu/en/Industries/banking-capital-markets/perspectives/shedding-light-on-psd3-psr.html Schoenherr website, article "The EU's new Payments Services Package", link https://www.schoenherr.eu/content/the-eu-s-new-payments-services-package European Payments Council, article "What do the PSD3 and PSR mean for the payments sector", link https://www.europeanpaymentscouncil.eu/news-insights/insight/what-do-psd3-and-psr-mean-payments-sector Connect with me on:LinkedIn: https://www.linkedin.com/in/theitsmpractice/Website: http://www.theitsmpractice.comAnd if you want more tips and guidance, follow me on LinkedIn. I am sharing daily posts regarding Enterprise Service Management, IT Service Management, and IT Security.Credits:Sound engineering by Alan Southgate - http://alsouthgate.co.uk/Graphics by Yulia Kolodyazhnaya
• AI Governance Illusion: Hidden Risks & Accountability in ITSM 07.04.2026 9min

  AI governance maturity can be misleading. Many organizations rely on frameworks, policies, and dashboards that signal control but fail to reflect true understanding of AI systems. This episode explores the Governance–Understanding Gap, highlighting why unclear decision ownership and limited system insight create hidden risks in AI, ITSM, and Enterprise Service Management environments.In this episode, we answer to:What is the worst decision an AI system could realistically make in practice?Which AI system in the organization is least understood and hardest to explain?If an AI system makes a harmful decision, who is accountable for it?Resources Mentioned in this Episode: NIST website, framework "AI Risk Management Framework", link https://www.nist.gov/itl/ai-risk-management-frameworkEuropean Commission website, policy "Artificial Intelligence", link https://digital-strategy.ec.europa.eu/en/policies/artificial-intelligenceISO Standards website, ISO/IEC 42001 standard, link https://www.iso.org/standard/81230.htmlMIT Sloan Management Review website, article "A framework for assessing AI risk", link https://mitsloan.mit.edu/ideas-made-to-matter/a-framework-assessing-ai-riskStanford Human-Centered AI website, article " AI Index 2025", link https://aiindex.stanford.eduConnect with me on:LinkedIn: https://www.linkedin.com/in/theitsmpractice/Website: http://www.theitsmpractice.comAnd if you want more tips and guidance, follow me on LinkedIn. I am sharing daily posts regarding Enterprise Service Management, IT Service Management, and IT Security.Credits:Sound engineering by Alan Southgate - http://alsouthgate.co.uk/Graphics by Yulia Kolodyazhnaya
• DevSecOps: Responsibility Without Authority 31.03.2026 6min

  DevSecOps promises shared security responsibility, but what happens when accountability shifts without decision authority? In this episode of The ITSM Practice Podcast, Luigi Ferri explores governance gaps, risk ownership, Security Champions, burnout, and structural ambiguity in DevSecOps. A sharp reflection for CISOs, AppSec leaders, and ITSM professionals navigating security governance and enterprise risk management.In this episode, we answer to:Who is explicitly allowed to accept risk in a DevSecOps operating model?What happens when developers receive security accountability without authority?Are Security Champions strengthening governance, or masking leadership gaps?Resources Mentioned in this Episode: Blackduck website, article "DevSecOps: The good, the bad, and the ugly", link https://www.blackduck.com/blog/devsecops-challenges-benefits.htmlJit website, article "6 DevSecOps Best Practices that Enable Developers to Deliver Secure Code", link https://www.jit.io/resources/devsecops/a-practical-guide-to-devsecops-making-it-work-for-developersDecipher Bureau website, article "DevSecOps Professionals: Avoiding ‘The Great Burnout’", link https://www.decipherbureau.com/news/articles/devsecops-professionals-avoiding-the-great-burnout/ Security Journey website, article "From Disruption to Integration: Rethinking Just-in-Time Security Training", link https://www.securityjourney.com/post/from-disruption-to-integration-rethinking-just-in-time-security-training Connect with me on:LinkedIn: https://www.linkedin.com/in/theitsmpractice/Website: http://www.theitsmpractice.comAnd if you want more tips and guidance, follow me on LinkedIn. I am sharing daily posts regarding Enterprise Service Management, IT Service Management, and IT Security.Credits:Sound engineering by Alan Southgate - http://alsouthgate.co.uk/Graphics by Yulia Kolodyazhnaya
• ISO 31000 vs MoR: Closing the Risk Management Gap 24.03.2026 7min

  Enterprise Risk Management (ERM) often looks mature—risk registers, ISO 31000 alignment, MoR processes—yet fails to influence real decisions. In fintech and regulated environments, risk governance must shape judgment, not just document compliance. This episode explores why ISO 31000 and MoR lose impact under pressure, and how to align risk appetite, decision-making, and operational execution before risk accumulates.In this episode, we answer to:How can ISO 31000 truly influence enterprise decision-making in fast-moving fintech environments?Why does Management of Risk (MoR) become procedural compliance instead of strategic risk governance?How can Enterprise Risk Management integrate risk appetite, governance, and operational execution without losing agility?Resources Mentioned in this Episode:Axelos website, white paper "Everything You Wanted to Know About MoR in Less Than 1,000 Words", link https://www.axelos.com/resource-hub/white-paper/everything-you-wanted-to-know-about-m-o-r-in-less-than-1000-words Goodelearning website, article "What is Management of Risk (M_o_R)?", link https://goodelearning.com/articles/what-is-management-of-risk/ Best Practice LMS website, article "M_o_R® - Introduction", link http://www.bestpracticelms.com/mLearn/SPM-App/MOR.html ISO official website, ISO 31000:2018 standard, link https://www.iso.org/standard/65694.html Pacific Certifications, article "ISO 31000: Risk Management Framework Explained for Modern Organizations", link https://blog.pacificcert.com/iso-31000-risk-management-framework-explained/ Connect with me on:LinkedIn: https://www.linkedin.com/in/theitsmpractice/Website: http://www.theitsmpractice.comAnd if you want more tips and guidance, follow me on LinkedIn. I am sharing daily posts regarding Enterprise Service Management, IT Service Management, and IT Security.Credits:Sound engineering by Alan Southgate - http://alsouthgate.co.uk/Graphics by Yulia Kolodyazhnaya
• ITIL 5: Stop Explaining Failures. Start Owning System Decisions 17.03.2026 6min

  In this episode of the ITSM Practice Podcast, Luigi Ferri explores how ITIL 5 shifts leadership from explaining incidents to owning systemic decisions. In complex service ecosystems, governance must move upstream—before automation, architecture, and risk scale. True IT Service Management leadership is no longer about post-incident justification, but about accountable decision design in Enterprise Service Management.In this episode, we answer to:How does ITIL 5 redefine accountability in modern IT Service Management?Why is governance shifting upstream in complex, automated service environments?Are Heads of Service accountable for decisions they did not design?Resources Mentioned in this Episode: ITIL Training Academy website, article "ITIL® (Version 5): Everything New in ITIL Latest Version", link https://www.itil.org.uk/blog/itil-version-5-a-complete-guidePeopleCert website, article "ITIL, The Language of Growth", link https://www.peoplecert.org/Frameworks-Professionals/ITIL-frameworkPMG Academy website, article "The Definitive Guide to ITIL® Version 5 Foundation", link https://www.pmgacademy.com/en/articles/itil/the-definitive-guide-to-itil-version-5-foundation/ITIL official website, article "ITIL AI Governance White Paper", link https://www.itil.com/Itil-News-and-Announcements/ai-governance-white-paper INOC website, article "5 ITIL Incident Management Best Practices", link https://www.inoc.com/blog/itil-incident-management Connect with me on:LinkedIn: https://www.linkedin.com/in/theitsmpractice/Website: http://www.theitsmpractice.comAnd if you want more tips and guidance, follow me on LinkedIn. I am sharing daily posts regarding Enterprise Service Management, IT Service Management, and IT Security.Credits:Sound engineering by Alan Southgate - http://alsouthgate.co.uk/Graphics by Yulia Kolodyazhnaya
• ITIL 5, SCF and the Compliance Illusion 10.03.2026 8min

  In this episode of the ITSM Practice Podcast, Luigi Ferri challenges the illusion of security frameworks and compliance culture. Exploring the Secure Controls Framework (SCF), ISO, NIST and ITIL 5, he exposes governance immaturity, framework sprawl and risk misalignment. A sharp reflection on cybersecurity governance, enterprise risk management and why compliance without thinking weakens leadership.In this episode, we answer to:Is compliance replacing real risk-based security governance?Why do organizations accumulate ISO, NIST and SCF instead of clarifying risk ownership?How does ITIL 5 transform control frameworks into accountable governance?Resources Mentioned in this Episode:Compliance Forge website, article "The Secure Controls Framework (SCF) Is The Common Controls Framework (CCF)", link https://complianceforge.com/scf/what-is-the-scf/ Secure Controls Framework website, article "The SCF Makes Compliance A Natural Byproduct of Secure Practices", link https://securecontrolsframework.com/what-is-the-scf/ Secure Controls Framework on GitHub, article "The Secure Controls Framework (SCF) is a meta-framework (framework of frameworks) that maps to over 100 cybersecurity and privacy-related laws, regulations and industry frameworks", link https://github.com/securecontrolsframework/securecontrolsframework Secure Controls Framework website, article "Security, Compliance & Resilience (SCR) Principles", link https://securecontrolsframework.com/domains-principles/ Secure Controls Framework website, article "Secure, Compliant & Resilient Capability Maturity Model (SCR-CMM)", link https://securecontrolsframework.com/free/capability-maturity-model/ Connect with me on:LinkedIn: https://www.linkedin.com/in/theitsmpractice/Website: http://www.theitsmpractice.comAnd if you want more tips and guidance, follow me on LinkedIn. I am sharing daily posts regarding Enterprise Service Management, IT Service Management, and IT Security.Credits:Sound engineering by Alan Southgate - http://alsouthgate.co.uk/Graphics by Yulia Kolodyazhnaya
• ITIL 5 for CIOs: Governing AI-Driven Digital Systems at Scale 03.03.2026 9min

  ITIL 5 marks a decisive shift in IT Service Management. Moving beyond ITIL 4, it reframes services as AI-enabled digital product–service systems governed through data-driven decision models. This episode explores governance, accountability, CIO and CISO implications, and why ITIL 5 transforms service management into system leadership in an AI-native world.In this episode, we answer to:How does ITIL 5 redefine IT Service Management in an AI-native environment?What changes from ITIL 4 to ITIL 5 in governance, digital products, and value streams?What does ITIL 5 mean for CIOs and CISOs managing AI-driven digital services?Resources Mentioned in this Episode:ITIL Training Academy website, article "ITIL® (Version 5): Everything New in ITIL Latest Version", link https://www.itil.org.uk/blog/itil-version-5-a-complete-guideServiceNow website, article "Understanding ITIL 5: What’s New and How It Builds on ITIL 4", link https://www.servicenow.com/community/virtual-agent-forum/understanding-itil-5-what-s-new-and-how-it-builds-on-itil-4/m-p/3478594 Novelvista website, article "ITIL 4 vs ITIL (Version 5): What’s New, Changed, and Refined?", link https://www.novelvista.com/blogs/it-service-management/itil4-vs-itil5 PeopleCert website, article "ITIL Foundation (Version 5)", link https://www.peoplecert.org/browse-certifications/it-governance-and-service-management/ITIL-1/itil-5-foundation-version-50-4154Tarun Dewat, LinkedIn post "ITIL 5 has officially arrived, and it’s one of the most transformative updates the IT service management world has seen in years", link https://www.linkedin.com/posts/tarun-dewat-699818222_itil-5-has-officially-arrived-and-its-one-activity-7422705091654275073-6AxT ageeogee user on Reddit, post "Will ITIL 5 look more like 3 or 4?", link https://www.reddit.com/r/ITIL/comments/1l4bak8/will_itil_5_look_more_like_3_or_4/ Connect with me on:LinkedIn: https://www.linkedin.com/in/theitsmpractice/Website: http://www.theitsmpractice.comAnd if you want more tips and guidance, follow me on LinkedIn. I am sharing daily posts regarding Enterprise Service Management, IT Service Management, and IT Security.Credits:Sound engineering by Alan Southgate - http://alsouthgate.co.uk/Graphics by Yulia Kolodyazhnaya
• Why IT Maturity Is the Hidden Risk in IT Carve-Outs 24.02.2026 8min

  In this episode of The ITSM Practice Podcast, Luigi Ferri explains why IT maturity is the decisive factor in successful IT carve-outs. From dependency mapping to ITIL v3 governance and continuity stress testing, the episode shows how disciplined IT Service Management prevents disruption, cost overruns, and failed separations during complex enterprise transitions.In this episode, we answer to:Where is the real boundary between what IT owns and what a carved-out unit must take?What breaks first when a shared IT service disappears during a carve-out?Why does IT governance need to come before architecture and migration design?Resources Mentioned in this Episode: AvenDATA website, article "What is a carve-out and why is it important?", link https://avendata.com/blog/what-is-a-carve-out-and-why-does-it-matter Umbrex website, article "Stakeholder Alignment and Governance", https://umbrex.com/resources/carve-out-playbook/stakeholder-alignment-and-governance/ Invgate website, article "The most flexible no-code ITSM solution", link https://invgate.com/itsm/itil/itil-service-lifecycle Rezolve AI website, article "ITIL v3: Framework & Best Practices", link https://www.rezolve.ai/blog/itil-v3-framework-best-practices Alloy Software website, article "5 Stages of the ITIL Service Lifecycle: A Simple Guide to Better IT Service Management", link https://www.alloysoftware.com/blog/itil-lifecycle/ Eurostep website, article "Data carve-out best practices: Insights into streamlining data separation for business units", link https://www.eurostep.com/data-carve-out-best-practices-insights-into-streamlining-data-separation-for-business-units/ Connect with me on:LinkedIn: https://www.linkedin.com/in/theitsmpractice/Website: http://www.theitsmpractice.comAnd if you want more tips and guidance, follow me on LinkedIn. I am sharing daily posts regarding Enterprise Service Management, IT Service Management, and IT Security.Credits:Sound engineering by Alan Southgate - http://alsouthgate.co.uk/Graphics by Yulia Kolodyazhnaya
• Why ITIL 4 Is Critical for HITRUST Success 17.02.2026 8min

  HITRUST certification is not a shortcut to trust. In this episode of The ITSM Practice Podcast, Luigi Ferri explains why real success with HITRUST depends on operational maturity, disciplined processes, and ITIL 4 practices. Learn how process consistency, evidence, and repeatability are the true foundations of sustainable compliance and security.In this episode, we answer to:Why do many mid-size organizations fail HITRUST despite strong technical controls?How do ITIL 4 practices enable sustainable HITRUST certification?Which process maturity gaps block HITRUST readiness the most?Resources Mentioned in this Episode: HITRUST Alliance website, article "HITRUST CSF Framework overview", link https://hitrustalliance.net/hitrust-frameworkHITRUST Alliance website, article "HITRUST CSF Control Maturity Evaluation Guide", link https://hitrustalliance.net/hubfs/Download%20Center%20%2B%20Partner%20Content/Evaluating-Control-Maturity-Using-the-HITRUST-Approach.pdfSchneider Downs website, article "Complete Guide to HITRUST Certification", link https://schneiderdowns.com/guide-to-hitrust-certification/Tevora website, article "HITRUST Certification Top Strategies for Effective Evidence Collection", link https://www.tevora.com/resource/hitrust-certification-top-strategies-for-effective-evidence-collection/Connect with me on:LinkedIn: https://www.linkedin.com/in/theitsmpractice/Website: http://www.theitsmpractice.comAnd if you want more tips and guidance, follow me on LinkedIn. I am sharing daily posts regarding Enterprise Service Management, IT Service Management, and IT Security.Credits:Sound engineering by Alan Southgate - http://alsouthgate.co.uk/Graphics by Yulia Kolodyazhnaya
• FISMA in the Cloud: What Midsize Security Teams Need to Know 10.02.2026 8min

  In this episode of The ITSM Practice Podcast, we explore what FISMA really means for midsize, cloud-native security teams. Using real-world scenarios, we explain why FISMA was built for federal systems, where it clashes with cloud responsibility models, and how a risk-based adoption strengthens governance without falling into compliance theatre.In this episode, we answer to:Do FISMA controls apply to cloud-native and SaaS-based environments?How can midsize companies use FISMA without full federal-style compliance?Why is risk-based adoption more effective than checklist compliance in the cloud?Resources Mentioned in this Episode: CISA website, Federal Information Security Modernization Act page, link https://www.cisa.gov/topics/cyber-threats-and-advisories/federal-information-security-modernization-actNIST website, NIST Special Publication 800-53, link https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdfSecureframe website, article "FISMA Compliance: What It Is and How to Achieve It", link https://secureframe.com/hub/nist-800-53/fisma-complianceSecurity Compass website, article "ISO 27001 vs NIST 800-53", link https://www.securitycompass.com/blog/iso-27001-vs-nist-800-53/Connect with me on:LinkedIn: https://www.linkedin.com/in/theitsmpractice/Website: http://www.theitsmpractice.comAnd if you want more tips and guidance, follow me on LinkedIn. I am sharing daily posts regarding Enterprise Service Management, IT Service Management, and IT Security.Credits:Sound engineering by Alan Southgate - http://alsouthgate.co.uk/Graphics by Yulia Kolodyazhnaya
• ISO 27001 & ISO 42001: Governing AI Risk 03.02.2026 9min

  As AI expands the security perimeter, CISOs face new questions about data, trust, and accountability. This episode explains how combining ISO/IEC 27001 and ISO/IEC 42001 creates a unified governance engine for information security and AI governance. Learn how mid-size organizations can turn AI risk, transparency, and compliance into a strategic advantage.In this episode, we answer to:How does AI change the traditional security perimeter defined by ISO 27001?Why is ISO 42001 essential to govern AI risk, fairness, and explainability?How can CISOs clearly explain to customers where AI uses and sends their data?Resources Mentioned in this Episode:De.iterate website, article "ISO 42001 Certification: Benefits, Challenges, and Real-World Applications", link https://deiterate.com/2025/02/26/iso-42001-certification-benefits-challenges-and-real-world-applications/Cherry Bekaert website, article "ISO 42001 vs. ISO 27001: Data Protection for Scaling Your Professional Services Firm", link https://www.cbh.com/insights/articles/data-protection-for-professional-services-firms/Mitratech website, article "ISO 42001 & AI Risk: Strengthen Third-Party Compliance", link https://mitratech.com/resource-hub/blog/iso-42001-ai-risk-strengthen-third-party-compliance/ Walter Haydock blog, article "How we implement ISO 42001 control A.10.3 and help clients do the same to manage AI vendor risk", link https://blog.stackaware.com/p/iso-42001-annex-a-control-10-3-supplier-risk-management Connect with me on:LinkedIn: https://www.linkedin.com/in/theitsmpractice/Website: http://www.theitsmpractice.comAnd if you want more tips and guidance, follow me on LinkedIn. I am sharing daily posts regarding Enterprise Service Management, IT Service Management, and IT Security.Credits:Sound engineering by Alan Southgate - http://alsouthgate.co.uk/Graphics by Yulia Kolodyazhnaya
• Payment Security by Design with PCI P2PE 27.01.2026 9min

  In this episode of The ITSM Practice Podcast, Luigi Ferri explains why PCI P2PE is not just encryption but a security-by-design discipline. Learn how point-to-point encryption eliminates clear-text card data, reduces breach impact, simplifies PCI compliance, and integrates with ITIL governance to protect trust from the first millisecond of payment.In this episode, we answer to:What is PCI P2PE and why is it critical for modern payment security and PCI DSS compliance?How does P2PE reduce breach exposure and change merchant compliance obligations?Why are governance, the PIM, and ITIL practices essential to keeping P2PE effective over time?Resources Mentioned in this Episode: PCI website, white paper "P2PE At a Glance", link https://www.pcisecuritystandards.org/documents/P2PE_At_a_Glance_v3.pdfPCI website, white paper "Point-to-Point Encryption", link https://www.pci-dss.gr/media/1934/p2pe_hybrid_v111.pdfPayway website, article "Protect Cardholder Data with P2PE", link https://www.payway.com/blog/how-to-keep-yourself-out-of-the-news-with-p2pe Bluefin website, article "What is Point-to-Point Encryption (P2PE)?", link https://www.bluefin.com/payment-security/pci-p2pe-faq/Ingenico website, article "3 Things to Know About P2PE v3.0", link https://ingenico.com/de/node/818Connect with me on:LinkedIn: https://www.linkedin.com/in/theitsmpractice/Website: http://www.theitsmpractice.comAnd if you want more tips and guidance, follow me on LinkedIn. I am sharing daily posts regarding Enterprise Service Management, IT Service Management, and IT Security.Credits:Sound engineering by Alan Southgate - http://alsouthgate.co.uk/Graphics by Yulia Kolodyazhnaya
• ITIL v3 as the Backbone of eSIM Security 20.01.2026 11min

  In this episode of The ITSM Practice Podcast, Luigi Ferri explains how ITIL v3 processes enable compliance with GSMA SAS-SM for secure eSIM provisioning. Discover how governance, service design, change, and continual improvement turn security from theory into an auditable, operational discipline in modern telecom environments.In this episode, we answer to:How can ITIL v3 processes support GSMA SAS-SM certification for eSIM management?What operational evidence is required to prove secure remote SIM provisioning?How do governance and continual improvement help maintain long-term SAS-SM compliance?Resources Mentioned in this Episode:GSMA website, article "Security Accreditation Scheme (SAS)", link https://www.gsma.com/solutions-and-impact/industry-services/assurance-services/security-accreditation-scheme-sas/GSMA website, article "eSIM Compliance", link https://www.gsma.com/solutions-and-impact/technologies/esim/compliance/IT Process Maps website, article "IT Security Management", link https://wiki.en.it-processmaps.com/index.php/IT_Security_Management?Connect with me on:LinkedIn: https://www.linkedin.com/in/theitsmpractice/Website: http://www.theitsmpractice.comAnd if you want more tips and guidance, follow me on LinkedIn. I am sharing daily posts regarding Enterprise Service Management, IT Service Management, and IT Security.Credits:Sound engineering by Alan Southgate - http://alsouthgate.co.uk/Graphics by Yulia Kolodyazhnaya