ISO, ITIL and Cobit: What's the difference?

ISO, ITIL, And COBIT: What You Need To Know, from (

"The three different best practices frameworks cover different domains:-

ISO 17799. This international standard — of which International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) released a revised version in June 2005 — aims to improve the practices and organizations around information security. It defines a global approach to security management that touches the responsibilities and organizations responsible for security as well as the policies, critical asset classification, and risk management. It is best used when security certification and overall definition of all security processes — logical and physical — is needed and basic rules for security defined.

ITIL. Originally created by the UK government, ITIL summarizes best practices for the implementation of IT management processes. ITIL defines the processes to be implemented to deliver and support IT services (most of the time, IT services today equal applications) focusing on the business (IT’s customer). The ITIL philosophy revolves around the service desk as a communication platform and the configuration management database (CMDB).

COBIT. COBIT compiles an up-to-date international set of generally accepted control objectives for day-to-day use by business managers and IT managers. It addresses IT governance and the key performance indicators associated with process improvement. At first glance, COBIT seems to overlap considerably with ITIL, but COBIT has clearly been influenced by problems raised by the insurance industry. Mergers and acquisitions, unification of processes, outsourcing and audits are main chapters of the COBIT framework.

Here are the strengths and weaknesses of each:-

ISO 17999 provides security controls. It does not provide implementation guidance and does not specifically address how these processes fit into the overall IT management processes.

ITIL is strong on delivery and support processes. It describes how to structure operational processes but is weak on security controls and processes.

COBIT is focused on controls and metrics. It also lacks a security component but provides a more global view of IT processes at the IT organization management principles than ITIL.

ISO, ITIL, And COBIT: Complementary Or Overlapping?

Looking at these three frameworks, we reach the conclusion that they do in fact complement each other: you can supplement the IT operational process strengths of ITIL with the critical success factors (CSF) and key performance indicators (KPI) of COBIT, and both can make good use of the security processes and controls defined in ISO.

Examples of complementary elements between ITIL Service Support, COBIT, and ISO are:-

Incident management. Defined as an ITIL service support process, it has an ISO complement in case of security incidents as well as a COBIT delivery and support chapter.

Problem management. The COBIT delivery and support chapter defines incident and problem management processes that complement the ITIL problem management process.

Change, configuration, and release management. These ITIL processes have a direct complement in COBIT’s change management and configuration changes as well as in ISO’s operational change control, controls against viruses, and third-party security requirements.

COBIT and ISO also provide guidance, key indicators, and controls for the definition of service-level agreements, capacity planning, availability management, and business continuity, which complement ITIL service delivery processes."

Full Article Here

New! Visit the latest Blog from the creator of Dr. ITiL – covering ITIL Version 3 Refresh, Service Catalogs, CMDB, Foundation Exam Tips and ISO20000 Knowledge. There’s a variety of free PDF and Powerpoint downloads available to help you plan and implement ITIL.

Visit the IT Service Blog