Technology Portfolio Management (TPM) Best Practices

Overview

Several industry-standard taxonomies exist that organizations may reference when designing their Technology Categorization Taxonomy. Each has been developed for a specific governance purpose and reflects the priorities of the organization or standards body that created it. Understanding what each taxonomy was designed to do — and what it was not designed to do — is essential for using it productively as a reference without being constrained by its limitations. None of these taxonomies was designed specifically for Technology Portfolio Management governance. Each is a useful reference for specific dimensions of the taxonomy design challenge, but none can be adopted wholesale as the IF4IT TPM taxonomy without significant adaptation.

Best Practice

Review the following industry taxonomies as reference inputs to the organization’s own taxonomy design. Understand each taxonomy’s primary orientation, its strengths for TPM purposes, and its known limitations. Adopt, adapt, or selectively reference each as appropriate to the organization’s specific governance context. No external taxonomy is mandated by IF4IT.

The TBM Taxonomy, maintained by the TBM Council and the FinOps Foundation, is the most widely adopted standard for IT cost and technology categorization in enterprise environments. It organizes IT spending into IT Towers, Sub-Towers, and Cost Pools, providing a structured hierarchy for cost attribution and benchmarking. Its strengths for TPM purposes are financial: it provides a well-proven structure for allocating technology costs and comparing spending patterns against peer organizations. Its limitations for TPM governance are significant: it is financially oriented rather than governance-oriented, it does not address technology lifecycle status, risk profile, or Strategic Disposition, and its categories reflect cost accounting logic rather than governance distinctions. (Source: TBM Council / FinOps Foundation.)

The Gartner IT Taxonomy is Gartner’s proprietary classification of IT spending and technology categories, used in their benchmarking services, Magic Quadrant research, and market analysis publications. It is widely referenced by CIOs and IT leadership who use Gartner research. Its strengths for TPM purposes include its alignment with the language and categories that many IT leadership teams already use through their Gartner research subscriptions. Its limitations include its proprietary nature — it requires an active Gartner subscription for full access — and its orientation toward market analysis and vendor evaluation rather than internal portfolio governance. (Source: Gartner, Inc.)

The TOGAF Technology Architecture Taxonomy is The Open Group Architecture Framework’s categorization of technology building blocks within the Technology Architecture domain, addressed in Phase D of the TOGAF Architecture Development Method. Its strengths for TPM purposes are architectural: it provides a principled structure for organizing technology components in the context of the overall enterprise architecture. Its limitations include its design for formal architecture engagements rather than ongoing portfolio governance operations, and its level of abstraction which is appropriate for architecture modeling but less operational for day-to-day inventory management. (Source: The Open Group, TOGAF Standard, 10th Edition.)

The UNSPSC — United Nations Standard Products and Services Code — is a global hierarchical classification of products and services that includes extensive technology categories. It is widely used in procurement and contract management contexts. Its strengths for TPM purposes include its global adoption and its usefulness for connecting technology classification to the procurement and vendor management processes that acquire technology assets. Its limitations include its procurement orientation and its granularity, which is often more detailed than needed for portfolio governance while missing the governance-relevant distinctions that matter for TPM. (Source: GS1 US / United Nations Development Programme.)

The eCl@ss standard is a European classification and description standard for products and services used primarily in procurement, supply chain, and manufacturing contexts. It offers greater granularity than UNSPSC in some technology hardware categories. Its limitations for general enterprise TPM purposes include its European and manufacturing focus and its procurement orientation rather than governance orientation. (Source: eCl@ss e.V.)

The SPDX standard — Software Package Data Exchange — is maintained by the Linux Foundation and is the primary standard for software bill of materials (SBOM) creation and open source license identification. It provides a taxonomy of open source license types and a data format for recording software component dependencies and their associated license obligations. For the Open Source Components Inventory in particular, SPDX is the authoritative classification reference for license types and the standard format for SBOM artifacts. Organizations subject to the EU Cyber Resilience Act, which mandates SBOM for products with digital elements sold in the EU market, should treat SPDX compliance as a governance requirement rather than an optional reference. (Source: The Linux Foundation, SPDX Project; EU Cyber Resilience Act.)

Benefit(s)

Reviewing existing industry taxonomies as reference inputs — rather than adopting any single taxonomy wholesale — allows the organization to design a Technology Categorization Taxonomy that reflects its own governance priorities while benefiting from the substantial design work embedded in each industry standard. The TBM Taxonomy informs the financial categorization dimensions. The TOGAF taxonomy informs the architectural categorization dimensions. The SPDX standard provides the authoritative structure for the Open Source Components Inventory. The organization builds a taxonomy that is better designed for its specific governance context than any industry standard alone, while remaining compatible with the external references that regulators, auditors, and leadership use.