ITIL,COBIT AND ISO27001

Burcu Pelin TELLİİstanbul Üniversitesi-Bilgisayar Mühendisliğibrcplntll@gmail.com

INTRODUCTION• As large scale applied computing (aka “Information Technology”)

nears its eighth decade of practice, practitioners have generated a great deal of guidance on all its aspects. Some of this guidance has been developed under the imprimatur of governments, major research universities and pre-eminent professional organizations. There is the Information Technology Infrastructure Library (ITIL), sponsored by the United Kingdom via official publication channels and the Control Objectives for Information Technology (COBIT), sponsored by the IS Audit and Control Association (ISACA) . There is also the Capability Maturity Model-Integrated, developed for twenty years now by the Software Engineering Institute at Carnegie-Mellon.

INTRODUCTION• ITIL, and COBIT have profound influence and reach in the IT industry

globally, serving as defining frameworks for wide sections of IT practice. The frameworks are often utilized as stringent criteria for awarding contracts and assessing maturity, risk, and performance. Training ecosystems have arisen, and books, conferences, and research revolve around them. All essentially serve to define and stabilize much IT terminology and direct it towards a common description of IT practice.• IT is under perpetual scrutiny and the industry is rife with criticism of

IT’s ability to deliver consistently and manage itself well. It’s therefore appropriate to pay critical attention to these frameworks’ assumptions and implications.

Business Process Management (BPM)There is an extensive literature associated with Business Process Management (BPM), including how to identify or establish, formally document, and improve business processes . This literature is highly aligned with broader concerns of general business management, performance management, and the organization as system. There is also substantial overlap between BPM and continuous improvement techniques such as Lean and Six Sigma. However, this Article will cover the narrower topic of defining “process” usefully for operational purposes, especially in creating IT industry frameworks.

Business Process Management (BPM)BPM can be and is applied to IT management. ITIL® and COBIT® all use the term “process” pervasively, and are commonly referred to as “process” frameworks. Thus, they position themselves for scrutiny from a BPM perspective.

BPM Life CycleBusiness process management activities can be arbitrarily grouped into categories such as design, modeling, execution, monitoring, and optimization.

ITIL, COBIT AND ISO 27001• Governance frameworks exist to help businesses and organisations implement best

practice in their particular fields. They encourage the use of proven methodologies, aid compliance with relevant standards, and can generally help reduce risk and operating costs. 

Three of the big governance frameworks for those operating in the Information Technology space are ITIL (Information Technology Infrastructure Library), ISO 27001 (International Standards Organisation) and COBIT (Control Objectives for Information and Related Technology).• All three frameworks offer a mix of guidance, advice and practical tools. Each has its

own focus, though they can be used in conjunction. The latest version of COBIT now integrates with the ITIL standard.

ITIL, COBIT AND ISO 27001

For Example• ITIL is focused on how IT Services should be used to underpin

business goals and objectives. Originally developed by the UK government in the 1980s to standardise their growing IT use, it is now used by institutions and businesses of all shapes and sizes. • ISO 27001 is focused on information security standards, and was last

updated in 2013. It describes a number of best practice guidelines for ensuring electronic data is maintained in a safe and secure manner. • COBIT is a governance framework aimed at regulatory compliance

and risk management. Now in its fifth edition, it covers areas like audit and assurance and governance of enterprise IT systems.

ITIL (Information Technology Infrastructure Library)• ITIL consists of a series of books giving guidance on the provision of quality

IT services, and on the accommodation and environmental facilities needed to support IT. ITIL has been developed in recognition of organizations' growing dependency on IT and embodies best practices for IT Service Management.

• Many of ITIL’s concepts are from four volume series called Management System for Information Systems by Author named Edward A. Van Schaik. It was compiled in 1985 in IBM, Schaik used reference from Managing the Data Resource Function by Richard L. Nolan (1974)

ITIL History• Originally developed by United Kingdom Government• ITIL version 1 was developed under Central Computer and

Telecommunications agency (CCTA). It was titled “Government Information Technology infrastructure Management Methodology” (GITMM). GITMM was expanded to 31 volumes over the year project initially directed by Peter Skinner and John Stewart at the CCTA. The change of title came about due to foreign interest of GITMM and as guidance and not a formal method.• Although ITIL was developed in 1980s, It wasn’t till mid 90s

that ITIL was widely adopted.

Service Support Goals for ITIL

• 1) Service desk• 2) Incident Management• 3) Problem Management• 4) Change Management• 5) Configuration

Management• 6) Release Management

Service Delivery Goals for ITIL

• 1) Capacity management• 2) Availability management• 3) Financial management of IT services• 4) Service level management• 5) IT service continuity management

ITIL (Information Technology Infrastructure Library)

• A business process analyst confronted with this list and attempting to apply the accepted definition of process may start by determining that Incidents, Changes, and Problems are indeed event driven and countable, usually managed in some sort of IT ticketing system. It is therefore not hard to translate their functional naming to strong verb processes: 

• Resolve Incident• Implement Change• Correct Problem

• Similarly, diagramming them as cross-functional process flows should be straightforward, as should be measuring and controlling these processes. • However, things become much murkier with “processes” like Capacity, Availability, and

Configuration/Asset Management. What is a Capacity? How many Capacities have we done today? Does one “establish” Capacity, “adjust” it, “enhance” it, or “reduce” it? When was the last Availability finished? Who benefited? We can count Assets, but what about Configurations?

ITIL (Information Technology Infrastructure Library)

• Obviously, these questions are somewhat nonsensical, but this is what happens when functions are confused with processes. ITIL does define its own limited set of “functions,” only in the Service Operation volume: 

• Service Desk • Technical management function • IT operations function • Application management function

• This leaves ITIL with 25 IT “processes,” and four IT “functions.” This is exactly the inverse of much BPM guidance, which would suggest that the true, value-adding, enterprise-essential processes are relatively fewer than the functions

Determining need for ITIL

Each Category has specific goal set in order to compare company’s current level of service with goals of subcategories of Service support. Generally speaking more goals company is missing the more likely it is that company need ITIL.

COBIT• The Control Objectives for Information Technology, or COBIT,

takes a somewhat different tack in establishing its “processes.” First, there is a clear attempt to start with a verb, as we can see from this subset: Determine Technological DirectionManage Service Desk and IncidentsEnsure Continuous Service Manage Changes Enable Operation and UseManage Quality

COBIT• However, these processes are often not crisp or countable. One is never done

“managing,” “ensuring,” or “enabling.” As Sharp and McDermott state, “Name with Action Verbs, Not Mushy Verbs”. In actual IT practice, many COBIT processes seem more akin to steady state IT functions, such as a Business Continuity Planning organization (for Ensure Continuous Service).• The reader at this point may think the critique unfair, in that a functional area like

Business Continuity Planning may well have smaller grained, crisply countable processes. However, this is often true of functional silos, and leads to the problems of IT process proliferation, value obscurity, and unmanaged demand, which will be addressed below in “Consequences of process confusion.” Again, we need to hit a sweet spot of business visibility and criticality. Does the end user derive value from Business Continuity Planning per se, or is this better seen as a component or quality attribute of a more fundamental value concept, such as delivering an Application or Infrastructure Service?

Comparison to COBIT and ITILCOBIT• Control Focused• Uses IT metrics• Used by auditors in

SOX• Critical Success Factors

ITIL• Strong concentration on

processes• Security is very important

component• Focused on Service Delivery

ISO 27001• It is, part of the growing ISO/IEC 27000 family of standards, was

an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001:2005 – Information technology – Security techniques – Information security management systems – Requirements. It was superseded, in 2013, by ISO/IEC 27001:2013.

ISO 27001• ISO/IEC 27001 formally specifies a management system that is intended to

bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard (more below).• The specification defines a six-part planning process:

Define a security policy.Define the scope of the ISMS.Conduct a risk assessment.Manage identified risks.Select control objectives and controls to be implemented.Prepare a statement of applicability.

ISO 27001

ISO 27001• ISO 27001 uses a topdown, risk-based approach and is technology-neutral. • The specification includes details for documentation, management

responsibility, internal audits, continual improvement, and corrective and preventive action. The standard requires cooperation among all sections of an organisation.

• ISO27001 is much more different between COBIT and ITIL, because ISO27001 is a security standard, so it has smaller but deeper domain compare to COBIT and ITIL.

AREA COBIT ITIL ISO 20071Function Mapping IT

ProcessMapping IT Service Level Management

Information Security Framework

Area 4 Process and 34 Domain

9 Process 10 Domain

Issuer ISACA OGC ISO Board

Implementation Information System Audit

Manage Service Level

Compliance to security standard

Consultant Accounting Firm, IT Consulting Firm

IT Consulting firm

IT Consulting firm, Security Firm, Network Consultant

Here is the detail table of comparison between this three standard

What should be implemented first?• There's no exact answer about this question, but i think its

really depend on your company and your requirement. Most of company start to implemented Cobit first because its cover general information system. And after that they usually choose between ITIL or ISO27001. • Another consideration is about budget and authoritive. Cobit

implementation usually run from internal audit budget and ITIL or ISO27001 usually performed using IT department budget. This consideration usually makes what kind of standard to implemented first become depend on management policy.

What is the easiest standard?• From the implementatation view, ITIL is the easiest standard

to be implemented. Because, ITIL could be implemented partially and still not have impact on performance. Example, if IT departement lack of budget and he could choose to implement IT Service Delivery layer only, and the next year he will try to implement IT Release Management or IT Problem Management.• However COBIT and ISO27001 is quite difficult to be

implemented partially, since it should see a process in bigger view first before they could implemented partially.

How to choose the right vendor?• Many vendor said that he could help your company to

implement these standard effectively, in fact there is no one solution for all. Usually the COBIT vendor come from Publci Accounting Firm who has an IT Audit arm, eg PWC, DTT, KPMG, EY. This type of vendor is best choice for COBIT since they also work for COBIT implementation derivative such as COBIT for Sarbanes Oxley.• The other standard ITIL and ISO27001 usually come from

General IT Consulting Company, eg. IBM, Accenture. And for ISO27001 most of IT networking company also could offer this standard consultation.

• References1.The Stationery Office, ITIL® Service Operation: 2011 Edition. Information TechnologyInfrastructure Library 2011, Norwich, U.K.: The Stationery Office.2. The Stationery Office, ITIL® Service Transition: 2011 Edition. Information TechnologyInfrastructure Library 2011, Norwich, U.K.: The Stationery Office.3. The Stationery Office, ITIL® Continual Service Improvement: 2011 Edition. InformationTechnology Infrastructure Library 2011, Norwich, U.K.: The Stationery Office.4. The Stationery Office, ITIL® Service Strategy: 2011 Edition. Information TechnologyInfrastructure Library 2011, Norwich, U.K: The Stationery Office.5. The Stationery Office, ITIL® Service Design: 2011 Edition. Information TechnologyInfrastructure Library 2011, Norwich, U.K.: The Stationery Office.6. IT Governance Institute, COBIT® 4.1 2007, Rolling Meadows, IL: IT GovernanceInstitute.7. CMMI® Product Team, CMMI® for Development, Version 1.3, 2010, Carnegie MellonSoftware Engineering Institute: Pittsburgh, PA.

• References8. http://www.eccinternational.com/consulting/it-process-excellence/isms-iso-270019. Burlton, R., Business Process Management: Profiting from Process 2001, Indianapolis, Indiana: SAMS10. Harmon, P., Business Process Change: A Manager's Guide to Improving, Redesigning, and Automating Processes 2003, Amsterdam: Elsevier.11. Rummler, G.A. and A.P. Brache, Improving performance: how to manage the White space on the organization chart. 2nd ed. The Jossey-Bass management series 1995, San Francisco, CA: Jossey-Bass. xxv, 226.12. Sharp, A. and P. McDermott, Workflow modeling : tools for process improvement and applications development. 2nd ed 2009, Boston: Artech House. xx, 449 p.13. https://en.wikipedia.org/wiki/Ana_Sayfa14. https://www.collaboris.com/solutions/ITIL-COBIT-ISO27001-compliance15. http://beefchunk.com/documentation/security-management/comparison_between_COBIT_ITIL_and_ISO_2700116. http://www.itskeptic.org/content/why-cobit-wins-showdown-itil17. http://www.eccinternational.com/consulting/it-process-excellence/isms-iso-2700118. http://searchdatacenter.techtarget.com/definition/ITIL