So once the rationale for a standard has been determined, the next challenge is implementing it.

Standards are change management in disguise. Implementing a standard is really an exercise in organizational change management. The best way to implement standards is to start with a single lead standard — say ITIL or Six Sigma — and then add selected parts of other standards as needed. That way, change is easier because the purpose is clearer to everyone.

Nevertheless, the amount of change that can be absorbed should be factored strongly into standards decisions. As the benefits come from changes in people's behaviour, standards that are too much of a stretch will rarely achieve the desired outcome. An evaluation of your change management capabilities should drive this understanding.

Implementing standards is both broad and deep. Broad in that most standards initiatives cut across many business functions. Deep in the sense that they entail major behavioural, process and sometimes technical changes. All this argues for a carefully tailored and phased approach.

Usually, not all of a standard is relevant for your business, and only some components will contribute to your business's current strategic objectives. Successful standards implementations typically start with some rational decisions about which parts will add value and which are unnecessary.

A CIO of a professional services firm we interviewed told us that his organization aggressively tailored the CobiT standard down to 55 key control objectives. This dramatically reduced the effort of conformance, but cost significantly more. It had a significant up-front "discovery" cost. It cost more to analyze and select which controls were needed to achieve the required benefit (regulatory compliance with Sarbanes-Oxley). And negotiations with auditors, who changed the "goalposts" a number of times, in terms of what they would be looking for in their audit, were difficult.

The interesting lesson to draw from this is that, in retrospect, it would have been better to have tailored less. This would have reduced effort and time (for discovery of the CobiT subset). And it would have reduced the need for such negotiation with the auditors, albeit at a higher compliance cost later on.

Don't go big bang either. Another CIO — this time from a health-care service provider — started both ISO 9000 and CMMi work in early 2004 and went big bang. It didn't work out as the approach foundered. The initiative was brought to a successful conclusion by a deft change of focus, from enterprise-wide, to focusing on just one development department, achieving CMMi Level 2 in December 2005. This CIO is now shooting for CMMi Level 2 for all departments in a year, and Level 3 for the pioneer group in the same time frame.

It is tempting to leave third parties out of the standards and performance improvement picture such as your outsource partners. After all, you do not have direct control of their internal resources. But the goal is to improve the services delivered to your internal and external customers, no matter where they are sourced from. So while this is especially important in highly outsourced environments it also applies to all IS organizations.

So, we have implemented our chosen standards — what now?