What ITSM Maturity Actually Looks Like in Practice — and How to Know Where You Stand

Ask most IT leaders what their ITSM maturity level is, and you'll get a confident answer. Ask them to evidence it, and the conversation quickly becomes uncomfortable. This isn't a criticism. It reflects the fact that maturity is genuinely difficult to assess objectively from the inside. You can't see your own blind spots, and the closer you are to the day-to-day operation, the harder it is to step back and assess it clearly.

This is one of the core reasons independent assessment exists. Over the years, we have conducted formal ITSM benchmarking assessments across dozens of enterprise organisations: financial services, infrastructure, public sector, manufacturing and professional services. The pattern we see, consistently, is that self-assessed maturity runs roughly one level higher than independently assessed maturity. It's not dishonesty. It's proximity.

What the Maturity Levels Actually Mean

Maturity frameworks, including ITIL 4's own guidance, describe levels in abstract terms. In practice, the differences between levels are visible in very specific, observable behaviours. Here is what we actually see at each level.

0 — Absent. There is no evidence of any activities supporting the practice. Incidents are handled by whoever is available, using whatever approach they find familiar. No consistent process, no ownership, no categorisation. Knowledge lives entirely in people's heads. There may be a tool in place but it is being used as a glorified email system. Most organisations at this level do not know they are here.

1 — Initial. The practice exists in name but is not well defined and is ad hoc. Basic processes exist on paper and are followed some of the time by some people. Escalation paths are unclear and frequently bypassed. Change management exists but is poorly understood and inconsistently applied. Problem management as a discipline is largely absent — the same incidents recur without root cause analysis. Reporting happens, but it measures activity rather than outcomes.

2 — Defined. The practice is established and there is moderate adherence to its execution. Processes are documented, understood and followed consistently across the team. Incident management has clear categorisation, priority definitions and SLAs that are measured and reported. Change management has a functioning CAB. The service catalogue exists and is maintained. Knowledge management is active. This is the level most mature enterprise organisations genuinely operate at.

3 — Repeatable. The practice is established, documented, repeatable and integrated with other processes and value streams. Processes are consistently followed across the organisation. Incident management integrates with problem and change. Knowledge is actively used at the point of triage. Continual improvement is a structured, evidenced discipline rather than a periodic exercise. The organisation can demonstrate that its ITSM practices are working together as a system.

4 — Managed. Practice execution is tracked by gathering qualitative and quantitative feedback using value-based metrics, and the practice is under continual improvement. The organisation uses ITSM data to drive decisions, not just report on activity. Problem management is genuinely proactive — trend analysis identifies emerging issues before they become incidents. Service performance is understood in the context of business outcomes. Senior IT leadership can articulate service value in language the business understands. This level is less common than most organisations believe.

The Signs That Reveal True Maturity

There are specific indicators we look for during assessments that cut through self-perception and reveal actual maturity. They are unglamorous, but they are reliable.

The first is incident categorisation consistency. Pull a sample of 100 recent incidents and look at how they have been categorised. In a mature organisation, categorisation is consistent: the same type of incident is categorised the same way regardless of who logged it. In a less mature organisation, you will find wide variation, catch-all categories that absorb everything ambiguous, and re-categorisation happening at volume after the fact. What you see here tells you the true quality of your data, and by extension the quality of any AI or analytics tool applied on top of it.

The second is what happens when a key person is absent. In a genuinely mature ITSM environment, processes continue reliably when individuals are away. In a less mature one, critical knowledge walks out of the door on holiday and things break or slow dramatically. This is a knowledge management maturity indicator, and it is one of the most honest tests available.

The third is the relationship between Problem and Incident management. In a mature organisation, problems are raised as a matter of course when recurring incidents are identified, and problem investigations produce root cause analysis that actually changes something. In most organisations we assess, problem records exist but investigations stall, root causes are never formally confirmed, and the same incidents continue to recur. The problem record closes not because the problem was solved but because it got old.

Why This Matters More Now Than Ever

ITSM maturity has always mattered, but the stakes have increased significantly with the rise of AI investment in enterprise IT. The organisations rushing to deploy AI-powered service desks, predictive analytics and automated triage are finding out, often at considerable cost, that AI performance is entirely dependent on the quality of the inputs it receives. Inconsistent incident categorisation produces unreliable AI triage. Outdated knowledge produces confident wrong answers from AI knowledge tools. An incomplete service catalogue makes AI self-service fail on first contact.

AI does not fix broken ITSM foundations. It amplifies whatever is already there. An organisation at a Reactive maturity level that deploys AI gets a faster, more automated version of the same problems it already had.

How to Get an Honest Assessment

The most reliable way to understand your true ITSM maturity is independent assessment: structured, evidence-based evaluation against a consistent benchmark, conducted by practitioners who have no stake in the outcome and no tool or vendor to sell. This is exactly what we do at The ITSM People, and it is what gives the organisations we work with a foundation they can actually act on. If you want to understand where you genuinely stand rather than where you hope you are — we would be glad to talk.