Why most open source ITSM tools fall short on ITIL
The ITSM market has two tiers. At the top are enterprise platforms like ServiceNow, BMC Helix, and Ivanti that cost six or seven figures annually and require dedicated teams to implement. In the middle are tools like Jira Service Management and Freshservice that handle basic ticketing and service desk workflows but rely on add-ons or creative workarounds for the broader ITIL process framework. And at the bottom is a graveyard of open source ticketing systems that call themselves ITSM tools but are really just help desks with a request queue.
The gap is in the middle. What if you need real ITIL process coverage, a proper CMDB with relationships and impact analysis, SLA tracking, change management with approval workflows, and a service catalog, but you do not have a ServiceNow budget? What if you are a small IT department, a government program office running lean, an MSP serving multiple customers, or a contractor standing up ITSM on a project with no recurring license budget?
That is the gap iTop fills. It is not a help desk with aspirations. It is a genuine ITSM platform built around a CMDB, and it has been in active development since 2010 by Combodo, a French company that has kept the community edition fully functional and free under the AGPL license.
What iTop actually includes out of the box
iTop's community edition ships with a data model that covers the core ITIL processes. This is not a stripped-down version with the good parts locked behind a paywall. The community edition is the foundation, and it includes:
Configuration Management Database. The CMDB is the center of iTop, not an afterthought bolted on later. The data model includes servers, network devices, PCs, virtual machines, applications, database instances, storage systems, middleware, and more. Every CI type has predefined attributes and relationships. The relationships are typed and directional: a server hosts an application, an application depends on a database, a business process uses a service. Impact analysis traces dependencies automatically, so when a server goes down you can see exactly what services and business processes are affected.
Incident Management. Create, assign, escalate, and resolve incidents with full lifecycle tracking. Incidents link to CIs, services, and contacts. The workflow follows ITIL: identification, logging, categorization, prioritization, investigation, resolution, closure. SLA timers track response and resolution deadlines based on the service and priority.
Request Management. Service requests flow through a catalog-driven workflow separate from incidents. Users submit requests from a self-service portal, requests route to the appropriate team based on the service catalog configuration, and the fulfillment workflow tracks each request to completion.
Problem Management. Track root causes, link problems to incidents, and manage known errors. Problems have their own lifecycle: identification, logging, categorization, prioritization, investigation, workaround, known error, resolution. When a problem is linked to a set of recurring incidents, iTop tracks that relationship so you can see the root cause driving your ticket volume.
Change Management. Change requests follow an ITIL-aligned workflow: registration, assessment, planning, approval, implementation, review. Changes link to affected CIs, related incidents, and the service they impact. Change approvals can involve multiple approvers.
Service Management. Define your service catalog with services, service subcategories, and SLA contracts. The catalog connects to every other process: incidents and requests are categorized by service, SLAs calculate deadlines based on the service contract, and reporting breaks down by service line.
SLA Management. SLAs are defined as contracts between your organization and your customers (internal or external). Each SLA specifies target response and resolution times by priority level. iTop tracks SLA compliance in real time and flags breaches. This is not a basic timer. It handles business hours, holidays, and coverage windows.
Contact and Organization Management. Track organizations, teams, and people. Contacts link to CIs (who is responsible for this server), services (who delivers this service), and tickets (who reported this incident, who is assigned). For MSPs serving multiple customers, the multi-organization model lets you segregate data by customer while managing everything from one instance.
Why the CMDB makes iTop different
Most IT service management tools treat the CMDB as a secondary feature. Jira Service Management added Assets (formerly Insight) as a bolt-on. ServiceNow's CMDB is powerful but requires significant implementation effort and licensing. Many open source help desks have no CMDB at all.
iTop was designed around its CMDB from the beginning. The CMDB is not a module you enable. It is the core data structure that every other process references. When you create an incident, you link it to a CI. When you submit a change request, you specify the affected CIs. When you define a service, you map it to the infrastructure that delivers it.
The CMDB data model is extensible. iTop includes a Data Model Toolkit and a low-code designer (ITSM Designer) that lets you add CI types, attributes, and relationships without writing PHP code. If your environment has CI types that the default model does not cover, you can add them. If you need custom attributes on existing types, you can add those too.
The impact analysis feature traces relationships through the CMDB graph and shows you the blast radius of a CI failure or change. When you are evaluating whether to approve a change or trying to understand why an application is down, the impact analysis gives you the dependency chain visually. This is a feature you normally only get in enterprise platforms.
For teams coming from a CMDB design background, whether using JSM Assets, ServiceNow, or a schema like the one provided by the open source cmdb-kit project, iTop's CI types and relationships will feel familiar. The concepts are the same: CI types with attributes, typed relationships, and service-to-infrastructure mapping. The implementation details differ but the design principles transfer directly.
How to get started with iTop
Option 1: Docker (fastest)
The fastest way to get a running iTop instance is Docker. Community-maintained images are available on Docker Hub:
docker run -d -p 8080:80 \
-e DB_HOST=db \
-e DB_NAME=itop \
-e DB_USER=itop \
-e DB_PASS=itop \
--link itop-db:db \
supervisions/itopRun a MariaDB container alongside it and you have a working iTop instance in minutes. Open a browser to port 8080 and walk through the setup wizard.
Option 2: Traditional install
iTop runs on Apache with PHP and MySQL or MariaDB. The requirements are standard LAMP stack:
- PHP 8.1 or later with extensions: mysqli, soap, dom, json, mbstring, gd, xml, zip, ldap
- MySQL 5.7 or MariaDB 10.3 or later
- Apache with mod_rewrite
- Graphviz (for impact analysis diagrams)
On Ubuntu:
apt install apache2 mariadb-server php php-mysql php-ldap \
php-soap php-json php-gd php-xml php-zip php-mbstring graphvizDownload the latest release from GitHub (github.com/Combodo/iTop), extract to your web root, and run the browser-based setup wizard. The wizard walks you through database configuration, module selection, and initial admin account creation.
Option 3: iTop SaaS
Combodo offers a hosted SaaS version for teams that do not want to manage infrastructure. This is the Professional or Enterprise edition with commercial support, not the community edition.
What to explore first
After installation, iTop presents a lot of options. Here is a practical sequence for getting productive:
Start with the CMDB. Add a few organizations, locations, and contacts. Then add a handful of CIs: a server, an application, a database. Create relationships between them. This gives you the foundation that everything else references.
Then set up your service catalog. Define one or two services with service subcategories. Attach an SLA with response and resolution targets. This does not need to be comprehensive on day one. Start with your highest-volume service and expand later.
Create a test incident linked to a CI and a service. Watch the SLA timer start. Assign it, work it, resolve it, close it. See the full lifecycle.
Then create a change request. Link it to a CI, specify the impact, and walk through the approval workflow. See how the change links to the CMDB and the service it affects.
By this point you will understand how iTop's processes connect through the CMDB, and you will know whether the platform fits your environment.
How iTop compares to the commercial platforms
iTop vs ServiceNow. ServiceNow is an enterprise platform with hundreds of modules, a proprietary scripting engine, and pricing that starts at tens of thousands per year. iTop covers the ITIL core (Incident, Problem, Change, Request, CMDB, Service Catalog, SLA) but does not attempt to match ServiceNow's breadth in areas like HR Service Delivery, Security Operations, GRC, or AI-driven automation. For teams that need ITIL ITSM with a proper CMDB, iTop delivers. For teams that need an enterprise platform that spans IT and non-IT workflows, ServiceNow is in a different category.
iTop vs Jira Service Management. JSM is a good service desk and project management tool. Its ITIL coverage is thinner than iTop's, particularly around change management, problem management, and CMDB. JSM's CMDB (Assets) is functional but was added later and is not as deeply integrated into the ITSM workflows. JSM's strengths are in its integration with the Atlassian ecosystem (Confluence, Bitbucket, Jira Software) and its modern UI. iTop's strengths are in its ITIL process depth and its CMDB-centric architecture.
iTop vs other open source options. GLPI is another open source ITSM tool with asset management and help desk features, but its ITIL process coverage is not as comprehensive as iTop's. Zammad and osTicket are help desks, not ITSM platforms. FreeITSM (now called ManageEngine) is not truly open source. iTop occupies a unique position as the only open source tool that delivers full ITIL process coverage with an integrated CMDB.
When iTop is the right choice
iTop fits well when the budget for commercial ITSM licensing is zero or minimal, when you need a real CMDB with relationships and impact analysis, when your ITIL requirements go beyond basic ticketing into change, problem, and service management, when you want to self-host on infrastructure you control (including air-gapped or government environments), or when you are an MSP managing multiple customer organizations from one instance.
iTop is less suitable when you need deep integration with the Atlassian or Microsoft ecosystem, when your organization requires a platform that spans IT and non-IT workflows (HR, legal, facilities), or when you need enterprise support SLAs and certified compliance (FedRAMP, IL4/IL5). For those requirements, ServiceNow or BMC Helix are more appropriate, but they come with proportional cost.
Pairing iTop with DFIR-IRIS for security incident response
One of iTop's gaps compared to enterprise platforms like ServiceNow is the lack of built-in security operations and incident response tooling. ServiceNow has Security Incident Response (SIR) as a native module. iTop handles IT service incidents but was not designed for the forensics-heavy, evidence-driven workflow that security incidents require.
DFIR-IRIS fills that gap. It is an open source, collaborative incident response platform built specifically for digital forensics and incident response teams. Where iTop tracks "the mail server is down and 200 users are affected," DFIR-IRIS tracks "we have indicators of compromise on three hosts, here is the forensic timeline, here are the IOCs, here is the evidence chain, and here is where we are in the containment and eradication process."
DFIR-IRIS provides case management for security investigations with timelines, IOC tracking, evidence management, and forensic artifacts. It supports pipeline modules for processing evidence through automated analysis workflows and processor modules that trigger actions on predefined hooks. It includes built-in integrations with VirusTotal, MISP (threat intelligence sharing), and IntelOwl. The full REST API makes it automatable and integratable with other tools in your security stack.
The practical pairing works like this. iTop handles your ITIL service management: incident tickets from users, change management, problem management, and the CMDB that maps your infrastructure. When an incident is identified as a security event, a linked case is created in DFIR-IRIS for the IR team to investigate. The iTop incident tracks the service impact and communication with affected users. The DFIR-IRIS case tracks the technical investigation: forensic analysis, IOC collection, containment actions, and evidence preservation.
iTop's CMDB feeds context into the IR process. When the IR team needs to know what other systems are connected to a compromised server, iTop's impact analysis provides that dependency map. When containment requires taking a system offline, the change management process in iTop documents the decision and coordinates the communication.
Both platforms are self-hosted and open source, which means the entire stack can run on government-controlled infrastructure with no cloud dependencies. For defense programs and agencies that need both ITSM and security operations capability without commercial licensing costs, the iTop plus DFIR-IRIS combination provides coverage that normally requires ServiceNow ITSM plus ServiceNow SIR, at zero license cost.
DFIR-IRIS runs in Docker, uses PostgreSQL, and has LDAP support for enterprise authentication. The installation is straightforward and the API documentation is thorough. Like iTop, it is actively maintained with regular releases.
Using iTop with migration-kit and cmdb-kit
If you are migrating from Jira or ServiceNow to iTop, the open source migration-kit project provides extraction tools that pull your existing data into a normalized format. iTop's REST API and CSV import features can then load that data into your iTop instance. The extraction side of the workflow (inventorying what you have, mapping fields and statuses, validating counts) applies regardless of the target platform.
For CMDB design work, the cmdb-kit project provides schema patterns, CI type hierarchies, and example data that map well to iTop's CMDB data model. The CI type taxonomy in cmdb-kit (products, versions, servers, databases, deployments, components) aligns with iTop's built-in CI classes, and the relationship patterns transfer directly.
FAQ
Q: Is iTop really free for production use? A: Yes. The community edition is released under the AGPL-3.0 license. You can use it in production for any number of users, CIs, and tickets with no license fees. Combodo makes money from commercial support, professional and enterprise editions (which add features like advanced portal customization, data synchronization, and premium extensions), and consulting services. The community edition is not crippled.
Q: How does iTop handle multi-tenancy for MSPs? A: iTop's organization model supports multiple customer organizations in one instance. Each CI, contact, ticket, and service can be scoped to an organization. Users see only the data for their organization. This is built into the core model, not an add-on.
Q: Can I import my existing CMDB data into iTop? A: iTop supports CSV import with a mapping wizard and has a REST/JSON API for programmatic data loading. For large migrations, use CSV import for the initial bulk load and the API for ongoing synchronization. The Data Model Toolkit documentation covers the import process in detail.
Q: How does iTop's extensibility work? A: iTop uses XML-based data model definitions. You can add CI types, attributes, relationships, menus, and lifecycle states by creating extension modules. The ITSM Designer provides a visual, low-code approach for common customizations. For deeper changes, you write XML definitions and PHP classes. The extension model keeps your customizations separate from the core code, so upgrades do not overwrite your changes.
Q: What does Combodo's commercial support include? A: Combodo offers professional and enterprise support with SLAs, access to premium extensions (enhanced portal, data synchronization connectors, advanced reporting), and consulting services. The support is responsive and deep according to community reviews. Pricing is not published publicly.
Q: Can iTop run in a government environment? A: iTop can run on any infrastructure you control, including government-owned servers, government cloud environments, and air-gapped networks. It has no phone-home requirements and no cloud dependencies. The AGPL license allows government use. However, iTop does not have FedRAMP authorization as a hosted service. Self-hosted deployments on authorized infrastructure inherit the authorization of that infrastructure.
Q: How active is the iTop community? A: The GitHub repository (github.com/Combodo/iTop) has active development with regular releases. The SourceForge forums and iTop Hub community have active discussion threads. Combodo has maintained the project since 2010 and continues to develop both the community and commercial editions. The community is smaller than ServiceNow or Jira but engaged and technically competent.
Q: Does iTop support ITIL 4? A: iTop's process model aligns with ITIL best practices. The terminology and workflows map to both ITIL v3 and ITIL 4 concepts. iTop does not claim a specific ITIL version certification, which is consistent with most ITSM tools outside the PinkVERIFY certification program.
Q: How does DFIR-IRIS integrate with iTop? A: Both tools have REST APIs, so integration is done through API calls. When an iTop incident is escalated to a security investigation, create a case in DFIR-IRIS via its API and store the case reference on the iTop ticket. DFIR-IRIS can query iTop's CMDB API for CI details and dependency information. There is no out-of-the-box connector, but the API integration is straightforward and both platforms support webhooks for event-driven automation.