Skip to Content

These days many organizations invest huge amounts of money and resources to deliver value from IT while managing the a complex range of IT-related challenges such as :

  • Aligning IT with business: In many a cases there is a significant gap between what the users expect and what IT provides.
  • Enforcing Security: To make the information readily available to the users is accompanied with security risks such as unauthorized access etc.
  • Keeping IT up and running: Nearly all businesses depend a lot on IT. When IT systems break down, the impact is huge.
  • Managing IT Complexity: Usually an enterprise uses a variety of IT systems and people resulting in diverse infrastructures and managing a number of external relationships.
  • Achieving regulatory compliance: With the recent scandals it’s a must that IT function as need to be aware of the national and international regulatory requirements.
  • Balancing value and cost: Despite the lower costs of hardware with the total expenditure on IT is increasing and is considered by top managers to be out of control.

One of the ways of addressing these challenges is to implement best practices such as IT Infrastructure Library(ITIL).  Organizations wishing to adopt IT best practices need an effective management framework to provide a consistent approach that would both ensure successful business results when using IT and the achievement of the enterpriser’s strategy.

This is where COBIT makes a mark as a framework to be used. COBIT which stands for Control Objectives for Information and related Technology focuses on “what needs to be achieved” rather than “how to achieve”. It is a framework and a knowledge base for IT processes and their management.  The framework is based on the premise that IT needs to deliver the information that enterprise requires to achieve its objectives. As a result it helps align IT by focusing on business information requirements and organizing IT resources. It is based on established frameworks such as Software Engineering Institute’s CMM, ISO 9000, ITIL and ISO/IEC 270002.

COBIT is based on proven and established frameworks that focuses on what an organization must do and not on how it needs to do. Due to its high level and broad reach it is often called as the “integrator” bringing in a range of practices under a single umbrella.

COBIT has 3 primary components:

  • Business Requirements: What stakeholders expect from IT
  • IT Resources: A means to identify resources required to execute processes
  • IT Processes: How is IT organized to meet requirements.

Business Requirements

In order to satisfy business objective data information needs to satisfy a certain control criteria which COBIT refers to as a business requirement. According to CoBIT there are 7 unique information criteria:

  • Effectiveness:  Information is delivered in a consistent and timely manner.
  • Efficiency: Provision of information through optimal usage of resources
  • Confidentiality: Protection of sensitive information from unauthorized access
  • Integrity: Refers to the accuracy and completeness of the information and its validity in terms of business value and expectations
  • Availability: Relates to the availability of the information when required by the process
  • Compliance: Deals with the compliance to laws and regulatory requirements
  • Reliability: Refers to the provision of the appropriate information to the management in order to manage its responsibilities.

IT Processes

IT processes contain generally accepted tasks or activities in a process model. Totally there are 34 IT processes which are spread across 4 domains. They are

  • Plan and Organize: Identify ways in which IT can contribute to the achievement of business objectives. It includes 10 processes
  • Acquire and Implement: In order to achieve the IT strategy, IT Solutions need to be identified, developed, acquired, implemented and integrated with business processes. It includes 7 processes.
  • Deliver and Support: Delivery of the required services which includes a range of operations from security to continuity to training. This domain includes 13 processes
  • Monitor and Evaluate: Regular assessment of IT processes on quality and compliance with the control requirements. It includes 4 processes.

 IT Resources

IT resources are managed by IT processes to provide information that the organization needs to achieve its objectives. IT resources are broadly classified into:

  • Applications:   Automated and manual systems that processes the information.
  • Information:  Data in all its forms.
  • Infrastructure: Technology and facilities that enable the processing of data.
  • People:  The personnel required to implement, execute, support and monitor the systems and services.

How does ITIL Map with COBIT?

IT best practices need to be aligned to business requirements. They must also be integrated with one another and with internal procedures. COBIT can be used at the highest level, providing an overall control framework based on an IT process model that should generically suit an organization. ITIL is a set of best practices that covers discrete areas and can be mapped to the COBIT framework, thereby providing a hierarchy of guidance.

In order to understand the mapping between COBIT and ITIL please refer to the tables below. Please note that these are subjective and are displayed to help better understand the relationship between the two. In the list below a single step for 3 of the 4 domains is provided

In the mapping below you will see the relationships between parts of ITIL and COBIT in order to better understand the relationships. Please note that this is just a sample as obtained from ISACA.

 

ITIL Process

COBIT

Process

Detailed Control Objective

The Service Desk

 

 

 

Understand business and customer service criteria

AI1

AI1.1

Definition of information requirements

Plan and design service desk infrastructure

DS8

DS8.1

Help desk

Specify targets and effectiveness metrics

DS8

DS8.5

Trend analysis and reporting

Determine service desk functions

DS8

DS8.1

Help desk

Resource and manage service desk effectively

DS8

DS8.1

Help desk

Define responsibilities and resolution pathways

DS8

DS8.3

Customer query escalation

Monitor workload

DS8

DS8.4

Monitoring of clearance

Undertake customer/user satisfaction surveys

PO8

PO8..1

External requirements review

Produce management reports

DS8

DS8.5

Trend analysis and reporting

Facilitate service management reviews

M2

M2.3

Internal control level reporting

Incident Management

 

 

 

Record incidents

DS8

DS8.2

Registration of customer queries

Incident investigation and diagnosis

DS10

DS10.1

Problem management system

Assign ownership

DS10

DS10.1

Problem management system

Incident resolution and recovery

DS10

DS10.1

Problem management system

Incident closure

DS10

DS10.1

Problem management system

 

Stay tuned for further mapping between COBIT and ITIL.

For more information please refer to the following links: ISACA and Wikipedia

To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

  1. Gregory Misiorek
    not sure why but US does not seem to be a party to ISO17999 (http://en.wikipedia.org/wiki/ISO/IEC_17799). this reminds me a bit the convergence (or lack thereof) between IFRS and US GAAP or between PMI and PRINCE standards. all of them seem to accomplish the same goal using slightly different terminology and semantics, but it’s simply all common sense with one standard emphasizing something like substance over form, and the other arriving at the same conclusions, eventually. it’s like a semantic difference between control and security, is there one? i say it’s in the eye of beholder.
    (0) 

Leave a Reply