ITIL, COBIT and ISO 27001

COBIT

Control Objectives for Information and Related Technology (COBIT) is a framework created by ISACA for information technology (IT) management and IT governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.

The goal of the framework is to provide a common language for business executives to communicate with each other about goals, objectives and results. The original version, published in 1996, focused largely on auditing. The latest version, published in 2013, emphasizes the value that information governance can provide to a business' success. It also provides quite a bit of advice about enterprise risk management.

ITIL

ITIL, formerly an acronym for Information Technology Infrastructure Library, is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. In its current form (known as ITIL 2011 edition), ITIL is published as a series of five core volumes, each of which covers a different ITSM lifecycle stage. Although ITIL underpins ISO/IEC 20000 (previously BS 15000), the International Service Management Standard for IT service management, there are some differences between the ISO 20000 standard and the ITIL framework.

ITIL describes processes, procedures, tasks, and checklists which are not organization-specific, but can be applied by an organization for establishing integration with the organization's strategy, delivering value, and maintaining a minimum level of competency. It allows the organization to establish a baseline from which it can plan, implement, and measure. It is used to demonstrate compliance and to measure improvement.

Since July 2013, ITIL has been owned by AXELOS, a joint venture between Capita and HM Cabinet Office. AXELOS licenses organisations to use the ITIL intellectual property, accredits licensed examination institutes, and manages updates to the framework.

ISO27001

ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.

According to its documentation, ISO 27001 was developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system."

ISO 27001 uses a topdown, risk-based approach and is technology-neutral. The specification defines a six-part planning process:

1.      Define a security policy.

2.      Define the scope of the ISMS.

3.      Conduct a risk assessment.

4.      Manage identified risks.

5.      Select control objectives and controls to be implemented.

6.      Prepare a statement of applicability.

The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. The standard requires cooperation among all sections of an organisation.

The 27001 standard does not mandate specific information security controls, but it provides a checklist of controls that should be considered in the accompanying code of practice, ISO/IEC 27002:2005. This second standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.

ISO 27002 contains 12 main sections:

1. Risk assessment
2. Security policy
3. Organization of information security
4. Asset management
5. Human resources security
6. Physical and environmental security
7. Communications and operations management
8. Access control
9. Information systems acquisition, development and maintenance
10. Information security incident management
11. Business continuity management
12. Compliance

Organisations are required to apply these controls appropriately in line with their specific risks. Third-party accredited certification is recommended for ISO 27001 conformance.

ITIL vs COBIT

COBIT and ITIL have been used by information technology professionals in the IT service management (ITSM) space for many years. Used together, COBIT and ITIL provide guidance for the governance and management of IT-related services by enterprises, whether those services are provided in-house or obtained from third parties such as service providers or business partners.

Enterprises need to govern and manage their information and related technology assets and resources, and those arrangements customarily include both internal and external services to satisfy specific stakeholder needs. COBIT 5 aims primarily to guide enterprises on the implementation, operation and, where required, improvement of their overall arrangements relating to governance and management of enterprise IT (GEIT). ITIL provides guidance and good practice for IT service providers for the execution of IT service management from the perspective of enabling business value.

COBIT 5 describes the principles and enablers that support an enterprise in meeting stakeholder needs, specifically those related to the use of IT assets and resources across the whole enterprise. ITIL describes in more detail those parts of enterprise IT that are the service management enablers (process activities, organizational structures, etc.).

Generally speaking:

· COBIT is broader than ITIL in its scope of coverage (GEIT). It is based on five principles (meeting stakeholder needs; covering the enterprise end to end; applying a single, integrated  framework; enabling a holistic approach; and separating governance from management) and seven enablers (principles, policies and frameworks; processes; organizational structures; culture, ethics and behavior; information; services, infrastructure and applications; people, skills and competencies).

· ITIL focuses on ITSM and provides much more in-depth guidance in this area, addressing five stages of the service life cycle:  service strategy, service design, service transition, service operation and continual service improvement.

Also, COBIT and ITIL are well aligned in their approach to ITSM. The COBIT 5 Process Reference Model, as documented in COBIT 5:  Enabling Processes, maps closely to the ITIL v3 2011 stages.

The distinction between the two is sometimes described as “COBIT provides the ‘why’; ITIL provides the ‘how.’” While catchy, that view is simplistic and seems to force a false “one or the other” choice. It is more accurate to state that enterprises and IT professionals who need to address business needs in the ITSM area would be well served to consider using both COBIT and ITIL guidance. Leveraging the strengths of both frameworks, and adapting them for their use as appropriate, will aid in solving business problems and supporting business goals achievement.

COBIT vs ISO 27001

In trying to understand whether an organization should implement any of these two frameworks, we must realize that while COBIT and ISO 27001 are different in many aspects, they do have some overlap and similarities. It is a particularly difficult decision for the manager, as he/she is required to deeply read through and understand which objectives are similar but worded differently in the two frameworks, and which objectives, that may look very identical in their scope, and vastly different due a minor difference in wording the objective. As it turns out, there is more than just the above mentioned factor for an organization to choose a preferred framework. These include: alignment with the goals and objectives of the organization, relationships with other organizations following common standards, ability to accomplish objectives with existing infrastructure and smaller budgets, risk-assessment and riskmanagement, training of employees, and many more.

ITIL and ISO 27001

Here at IT Governance we have focused a lot on the recent launch of ISO/IEC 27001:2013. However, my interest in everything related to ITIL and service management hasn’t dimmed. In fact, some questions on how the new edition of ISO27001 relates to ITIL 2011 have come into my mind lately. I therefore perused the ITIL Lifecycle Publication Suite to see if anything clashed with the new version of ISO27001.

Having viewed the guidance in the Service Design publication, in which the Security Management process is documented, it would seem that not a lot clashes between the information security standard and the ITIL framework. It’s important to remember that ITIL was last updated in 2011 and therefore reflects the 2005 edition of ISO27001.

But are ITIL 2011 and ISO/IEC 27001:2013 compatible? 

On the face of it, it would appear they are compatible. None of the guidance, including the plan-do-check-act (PDCA) cycle mentioned in ITIL 2011 or asset-based risk assessments is incompatible with ISO 27001:2013. Additionally, both ITIL 2011 and ISO/IEC 27001:2013 say you should use a set of information security controls, but do not mandate which set of controls you use, which in some ways could be seen as ITIL being ahead of the ISO27001 curve as it was published in 2011..

So to summarise, ITIL 2011 and ISO/IEC 27001:2013 can be employed together. Yes, there are some parts of ITIL that will need to be updated to reflect the greater flexibility toward the implementation of an ISMS  that ISO/IEC 27001:2013 brings and the use of technical language, but other than these points, they can be widely leveraged together.

If you employ ITIL in your organisation and haven’t touched on ISO/IEC 27001 until now, ISO/IEC 27001:2013 makes it easier than ever to get started with ISMS implementation.