Many of corporations in nowadays invest to IT Department for keeping benefits of their firms(client, secret fir documents …).Again many of big firms implement ITIL, Cobit and ISO27001 to their IT departments in this invest areas. There are many connections and interactions between these technologies. For show interactions between ITIL, Cobit and ISO27001 i should explain the definitions of these terms. In the first header I will try to express ITIL.
ITIL (Information Technology Infrastructure Library):
ITIL, formerly an acronym for Information Technology Infrastructure Library, is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. (ITIL)
Responding to growing dependence on IT, the UK Government’s Central Computer and Telecommunications Agency (CCTA) in the 1980s developed a set of recommendations. It recognized that, without standard practices, government agencies and private sector contracts had started independently creating their own IT management practices.
In ITIL 2011 edition ITIL publish 5 main volumes that define ITSM stage which are:
- ITIL Service Strategy: understands organizational objectives and customer needs.
- ITIL Service Design: turns the service strategy into a plan for delivering the business objectives.
- ITIL Service Transition: develops and improves capabilities for introducing new services into supported environments.
- ITIL Service Operation: manages services in supported environments.
- ITIL Continual Service Improvement: achieves services incremental and large-scale improvements.
Key benefits of ITIL:
- Manage business risk and service disruption or failure
- Improve and develop positive relationships with your customers by delivering efficient services that meet their needs
- Establish cost-effective systems for managing demand for your services
- Support business change whilst maintaining a stable service environment
Control Objectives for Information and Related Technology (COBIT) is a framework created by ISACA for information technology (IT) management and IT governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.
ISACA first released COBIT in 1996; ISACA published the current version, COBIT 5, in 2012. (Cobit, 2016)
COBIT has 5 main components which are:
- Process Description
- Control Objectives
- Management guidelines
- Maturity models
COBIT focuses on the broader decisions in IT management and does not dwell into technical details. It is a framework of best practices in managing resources, infrastructure, processes, responsibilities, controls, etc.
It is a good solution when managers are looking for a framework which serves as an integrated solution within itself, rather than having to be implemented along with other IT governance frameworks. However, its biggest short-coming is that it does not give “how to” guidelines to accomplish the control objectives. This is not preferred when the thrust in on correct implementation of security controls. (Arora, 2016)
ISO 27000 series is a family of IS management standards. It is the set of standards in this family that focuses on Information Systems Management (ISM). Initially known as the BS7799 standard, this was included in the set of ISO standards when ISO decided to include ISMS standards as one of the set of ISO standards. As a result of this, the standards’ name/number was adopted and it was called the ISO17799:2005 series. To bring the Information Security Management Systems (ISMS) standard BS7799-2 in line with other IS standards, this standard was included in the ISO 27000 series as ISO 27001. ISO 27001 defines methods and practices of implementing information security in organizations with detailed steps on how these implemented. They aim to provide reliable and secure communication and data exchange in organizations. Also, it stresses on a risk approach to accomplishing its objectives. This standard dives deep into ways to implement its sub objectives. This puts managers who are looking for clarifications on implementation, at an advantage. However, it fails to achieve the goal of integrating into a larger system. It is standalone in its nature, and does not work as a complete ISM solution. (Arora, 2016)
(Comparison between COBIT, ITIL and ISO 27001, 2016)
- COBIT (published by ITGI) is a high-level framework (relative to ITIL, ISO 27002 and NIST) that maps core IT processes in a manner that allows governance bodies – usually business executives – to successfully execute key policies and procedures. Similar to ISO 27002, it answers the ‘what’ that is being managed, as opposed to the ‘how’ answered by ITIL. However, whereas ITIL and ISO 27002 are focused only on information security, COBIT allows for a much broader scope, taking into account all of IT management processes.
- ITIL is a set of best practices an organization may implement in order to align IT resources and offerings to business goals. It is offered in a series of five core publications each corresponding to a stage in the lifecycle of IT. This process produces documentation of processes, tasks and checklists not specific to the organization with a goal of being able to create a baseline from which to implement controls and measure success.
- ISO27001 produced by the ISO (International Organization for Standard). Formulates a management system that to control information security, it does not provide specific or industry-related controls
When to Use:
- COBIT is a good candidate when an organization wishes to create an organization-wide framework for management that is scoped outside of information security only. While not providing direct accreditation, certification can be achieved through closely aligned paths.
- ITIL points to ISO standards as a framework in which to implement a solution. This applies well for organizations wishing to use ISO standards with global recognition without necessarily achieving an ISO 27001 certification.
The associated certification for ISO 27001 provides a worldwide recognition and acceptance, and therefore organizations wishing to operation across international boundaries may find implementation and certification advantageous. Additionally, some ISO 27001 certified companies require partners to become certified as well.
(A Comparison of COBIT, ITIL, ISO 27002 and NIST, 2016)
- ITIL was designed as a service management framework to help you understand how you support processes, how you deliver services
- COBIT was designed as an IT governance model, particularly and initially with audit in mind to give you control objectives and control practices on how that process should behave
- The difference between the two is, COBIT tells you what you should be doing, while ITIL tells you how you should be doing it
- Put COBIT and ITIL together, and you have a very powerful model of what you need to be doing and how you need to be doing it, when it comes to your process management
- Basically ISO gives security, but does not provide to acknowledge of how to integrate them into business process
- ITIL focus IT processes
- COBIT focuses on control and metrics
- So, a combination of all three is usually the best approach. COBIT can be used to determine if the company’s needs are being properly supported by IT.ISO can be used to determine and improve upon company’s security posture. And ITIL can be used to improve IT processes to meet the company’s goals (including security).
(A comparison of the business and technical drivers for ISO 27001, ISO 27002, COBIT and ITIL, 2016)
- A Comparison of COBIT, ITIL, ISO 27002 and NIST. (2016, 03 04). agnosticationater.blogspot.com.tr: http://agnosticationater.blogspot.com.tr/2013/12/a-comparison-of-cobit-itil-iso-27002.html
- A comparison of the business and technical drivers for ISO 27001, ISO 27002, COBIT and ITIL. (2016, 03 04). http://trongbang86.blogspot.com.tr/: http://trongbang86.blogspot.com.tr/2010/11/comparison-of-business-and-technical.html
- Arora, V. (2016, 03 03). Comparing different information security standards: COBIT v s. ISO 27001 . Qatar CMU: https://qatar.cmu.edu/media/assets/CPUCIS2010-1.pdf
- (2016, 03 03). Key Benefits Of ITIL. Axelos: https://www.axelos.com/best-practice-solutions/itil/key-benefits-of-itil
- Cobit. (2016, 03 03). Wikipedia: https://en.wikipedia.org/wiki/COBIT
- Comparison between COBIT, ITIL and ISO 27001. (2016, 03 04). beefchunk: http://beefchunk.com/documentation/security-management/comparison_between_COBIT_ITIL_and_ISO_27001.pdf
- ITIL.. 03 03, 2016 Wikipedia: https://en.wikipedia.org/wiki/ITIL
- Verma, M. (2016, 04 03). Comparison of it governance framework-COBIT, ITIL, BS7799. Slideshare.net: http://www.slideshare.net/meghnaverma3956/comparison-of-it-governance-frameworkcobit-itil-ds