Control
Objectives for Information and Related Technology (COBIT) is a framework created by ISACA for information
technology (IT) management and IT governance. It is a supporting toolset that allows managers to bridge the gap between
control requirements, technical issues and business risks.
The goal of the framework is to
provide a common language for business executives to communicate with each
other about goals, objectives and results. The original version, published in
1996, focused largely on auditing. The latest version, published in 2013,
emphasizes the value that information governance can provide to a business' success. It also provides quite a
bit of advice about enterprise risk management.
ITIL
ITIL describes processes, procedures,
tasks, and checklists which are not organization-specific, but can be applied
by an organization for establishing integration with the organization's
strategy, delivering value, and maintaining a minimum level of competency. It
allows the organization to establish a baseline from which it can plan,
implement, and measure. It is used to demonstrate compliance and to measure
improvement.
Since July 2013, ITIL has been owned
by AXELOS, a joint venture between Capita and
HM Cabinet Office. AXELOS licenses organisations
to use the ITIL intellectual property, accredits licensed examination
institutes, and manages updates to the framework.
ISO27001
ISO 27001
(formally known as ISO/IEC 27001:2005) is a specification for an
information security management system (ISMS). An ISMS is a framework of
policies and procedures that includes all legal, physical and technical
controls involved in an organisation's information risk management processes.
According to
its documentation, ISO 27001 was developed to "provide a model for
establishing, implementing, operating, monitoring, reviewing, maintaining and
improving an information security management system."
ISO 27001
uses a topdown, risk-based approach and is technology-neutral. The
specification defines a six-part planning process:
1. Define a security policy.
2. Define the scope of the ISMS.
3. Conduct a risk assessment.
4. Manage identified risks.
5. Select control objectives and
controls to be implemented.
6. Prepare a statement of
applicability.
The
specification includes details for documentation, management responsibility,
internal audits, continual improvement, and corrective and preventive action.
The standard requires cooperation among all sections of an organisation.
The 27001
standard does not mandate specific information security controls, but it
provides a checklist of controls that should be considered in the accompanying
code of practice, ISO/IEC 27002:2005. This second standard describes a
comprehensive set of information security control objectives and a set of generally
accepted good practice security controls.
ISO 27002 contains 12 main sections:
1. Risk
assessment
2. Security policy
3. Organization of information security
4. Asset management
5. Human resources security
6. Physical and environmental security
7. Communications and operations management
8. Access control
9. Information systems acquisition, development and maintenance
10. Information security incident management
11. Business continuity management
12. Compliance
2. Security policy
3. Organization of information security
4. Asset management
5. Human resources security
6. Physical and environmental security
7. Communications and operations management
8. Access control
9. Information systems acquisition, development and maintenance
10. Information security incident management
11. Business continuity management
12. Compliance
Organisations
are required to apply these controls appropriately in line with their specific
risks. Third-party accredited certification is recommended for ISO 27001
conformance.
ITIL
vs COBIT
COBIT and ITIL have been used by information technology professionals in
the IT service management (ITSM) space for many years. Used together, COBIT and
ITIL provide guidance for the governance and management of IT-related services
by enterprises, whether those services are provided in-house or obtained from
third parties such as service providers or business partners.
Enterprises need to govern and manage their information and related
technology assets and resources, and those arrangements customarily include
both internal and external services to satisfy specific stakeholder needs.
COBIT 5 aims primarily to guide enterprises on the implementation, operation
and, where required, improvement of their overall arrangements relating to
governance and management of enterprise IT (GEIT). ITIL provides guidance and
good practice for IT service providers for the execution of IT service
management from the perspective of enabling business value.
COBIT 5 describes the principles and enablers that support an enterprise in
meeting stakeholder needs, specifically those related to the use of IT assets
and resources across the whole enterprise. ITIL describes in more detail those
parts of enterprise IT that are the service management enablers (process
activities, organizational structures, etc.).
· COBIT is broader than ITIL in
its scope of coverage (GEIT). It is based on five principles (meeting
stakeholder needs; covering the enterprise end to end; applying a single,
integrated framework; enabling a holistic approach; and separating
governance from management) and seven enablers (principles, policies and
frameworks; processes; organizational structures; culture, ethics and behavior;
information; services, infrastructure and applications; people, skills and
competencies).
· ITIL focuses on ITSM and provides much more in-depth guidance in this
area, addressing five stages of the service life cycle: service strategy,
service design, service transition, service operation and continual service
improvement.
Also, COBIT and ITIL are well aligned in their approach to ITSM. The COBIT
5 Process Reference Model, as documented in COBIT 5: Enabling
Processes, maps closely to the ITIL v3 2011 stages.
The distinction between the two is sometimes described as “COBIT provides
the ‘why’; ITIL provides the ‘how.’” While catchy, that view is simplistic and seems
to force a false “one or the other” choice. It is more
accurate to state that enterprises and IT professionals who need to address
business needs in the ITSM area would be well served to consider using both
COBIT and ITIL guidance. Leveraging the strengths of both frameworks, and
adapting them for their use as appropriate, will aid in solving business
problems and supporting business goals achievement.
COBIT vs ISO 27001
In trying to understand whether an organization
should implement any of these two frameworks, we must realize that while COBIT
and ISO 27001 are different in many aspects, they do have some overlap and
similarities. It is a particularly difficult decision for the manager, as
he/she is required to deeply read through and understand which objectives are
similar but worded differently in the two frameworks, and which objectives,
that may look very identical in their scope, and vastly different due a minor
difference in wording the objective. As it turns out, there is more than just
the above mentioned factor for an organization to choose a preferred framework.
These include: alignment with the goals and objectives of the organization,
relationships with other organizations following common standards, ability to
accomplish objectives with existing infrastructure and smaller budgets,
risk-assessment and riskmanagement, training of employees, and many more.
ITIL
and ISO 27001
Here at IT
Governance we have focused a lot on the recent launch of ISO/IEC 27001:2013. However, my interest in everything related to
ITIL and service management hasn’t dimmed. In fact, some questions on how
the new edition of ISO27001 relates to ITIL 2011 have come into
my mind lately. I therefore perused the ITIL Lifecycle Publication Suite to see if anything clashed with the
new version of ISO27001.
Having
viewed the guidance in the Service Design publication, in which the Security
Management process is documented, it would seem that not a lot clashes
between the information security standard and the
ITIL framework. It’s important to remember that ITIL was last
updated in 2011 and therefore reflects the 2005 edition of ISO27001.
But are ITIL 2011 and ISO/IEC 27001:2013
compatible?
On the
face of it, it would appear they are compatible. None of the
guidance, including the plan-do-check-act (PDCA) cycle mentioned in
ITIL 2011 or asset-based risk assessments is incompatible with ISO
27001:2013. Additionally, both ITIL 2011 and ISO/IEC
27001:2013 say you should use a set of information security controls,
but do not mandate which set of controls you use, which in some ways could
be seen as ITIL being ahead of the ISO27001 curve as it was published
in 2011..
So to
summarise, ITIL 2011 and ISO/IEC 27001:2013 can be employed together.
Yes, there are some parts of ITIL that will need to be updated to
reflect the greater flexibility toward the implementation of an
ISMS that ISO/IEC 27001:2013 brings and the use of technical language,
but other than these points, they can be widely leveraged together.
If you employ ITIL in your organisation
and haven’t touched on ISO/IEC 27001 until now, ISO/IEC 27001:2013 makes it
easier than ever to get started with ISMS implementation.
