IT Governance:
COBIT, ISO17799 &
ITIL
IntroductionIntroduction
COBIT
ITIL
ISO17799 Others
IntroductionIntroduction
EffectivenessEffectiveness
EfficiencyEfficiency
ExternalStakeholders
ExternalStakeholders
InternalStakeholders
InternalStakeholders IT GovernanceIT Governance
IntroductionIntroduction
IT governance:
• Effective
• Meets management’s requirements
• Risks managed
• Controlled
• Provides value for money
“We are fast approaching the stage of IT evolution at which
innovation must translate into overall process improvements, as
it did in the mainframe world of 20 years ago.”
Source: Forrester
IntroductionIntroduction
COBITCOBIT
Control Objectives for Information and related Technology
by ISACA / ITGI
COBITCOBIT
Plan and organize
Acquire and implement
Deliver and support
Monitor and evaluate
COBIT - Plan and OrganizeCOBIT - Plan and Organize
Define strategic IT plan
Define information architecture
Determine technological direction
Define IT processes, organization and relationships
Manage IT investment
Communicate management aims and direction
Manage IT human resources
Manage quality
Assess and manage IT risks
Manage projects
COBIT - Acquire and ImplementCOBIT - Acquire and Implement
Identify automated solutions
Acquire and maintain application software
Acquire and maintain technology infrastructure
Enable operation and use
Procure IT resources
Manage changes
Install and accredit solutions and changes
COBIT - Deliver and SupportCOBIT - Deliver and Support
Define and manage service levels
Manage third-party services
Manage performance and capacity
Ensure continuous service
Ensure systems security
Identify and allocate costs
Educate and train users
Manage service desk and incidents
Manage configuration
Manage problems
COBIT - Deliver and Support (cont.)COBIT - Deliver and Support (cont.)
Manage data
Manage physical environment
Manage operations
COBIT - Monitor and EvaluateCOBIT - Monitor and Evaluate
Monitor and evaluate IT performance
Monitor and evaluate internal control
Ensure regulatory compliance
Provide IT governance
ISO17799ISO17799
Information Technology / Security Techniques - Code of Practice for
information Security Management
by International Standards Organization (ISO)
ISO17799ISO17799
Security policy
Organizing information security
Asset management
Human resources security
Physical and environmental security
Communications and operations management
Access control
Information system acquisition, development and maintenance
Information security incident management
Business continuity management
Compliance
ITILITIL
Information Technology Infrastructure Library
by UK government / Office of Government Commerce
ITILITIL
Service support
Service delivery
ITIL - Service SupportITIL - Service Support
Incident management
Configuration management
Problem management
Change management
Release management
ITIL - Service DeliveryITIL - Service Delivery
Service level management
Capacity management
Availability management
Security management
Continuity management
Financial management
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
PO1 – Define strategic IT plan
ISO17799:
• -
ITIL:
• -
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
PO2 – Define information architecture
ISO17799:
• Asset management (classification)
ITIL:
• -
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
PO3 – Determine technological direction
ISO17799:
• -
ITIL:
• -
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
PO4 – Define IT processes, organization and relationships
ISO17799:
• Organizing information security (internal)
• Asset management (responsibility)
• Access control (users)
ITIL:
• -
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
PO5 – Manage IT investment
ISO17799:
• -
ITIL:
• Financial management for IT services (budgeting)
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
PO6 – Communicate management aims and direction
ISO17799:
• -
ITIL:
• -
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
PO7 – Manage IT human resources
ISO17799:
• Human resources security
ITIL:
• -
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
PO8 – Manage quality
ISO17799:
• -
ITIL:
• -
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
PO9 – Assess and manage IT risks
ISO17799:
• -
ITIL:
• -
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
PO10 – Manage projects
ISO17799:
• -
ITIL:
• -
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
AI1 – Identify automated solutions
ISO17799:
• -
ITIL:
• -
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
AI2 – Acquire and maintain application software
ISO17799:
• Assess control (development)
• Information system acquisition, development and maintenance (development –
software)
ITIL:
• -
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
AI3 – Acquire and maintain technology infrastructure
ISO17799:
• Information system acquisition, development and maintenance (development –
infrastructure)
ITIL:
• -
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
AI4 – Enable operation and use
ISO17799:
• -
ITIL:
• -
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
AI5 – Procure IT resources
ISO17799:
• -
ITIL:
• -
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
AI6 – Manage changes
ISO17799:
• Access control (maintenance)
• Information system acquisition, development and maintenance (maintenance)
ITIL:
• Change management
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
AI7 – Install and accredit solutions and changes
ISO17799:
• Information system acquisition, development and maintenance (maintenance)
ITIL:
• Release management
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
DS1 – Define and manage service levels
ISO17799:
• -
ITIL:
• Service level management
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
DS2 – Manage third-party services
ISO17799:
• Organizing information security (external)
ITIL:
• -
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
DS3 – Manage performance and capacity
ISO17799:
• Communication and operations management
ITIL:
• Capacity management
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
DS4 – Ensure continuous service
ISO17799:
• Business continuity management
ITIL:
• IT service continuity management
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
DS5 – Ensure system security
ISO17799:
• Security policy
• Communications and operations management (security)
• Access control (security)
• Information system acquisition, development and maintenance (security
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
ITIL:
• Security management
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
DS6 – Identify and allocate costs
ISO17799:
• -
ITIL:
• Financial management of IT services (costing)
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
DS7 – Educate and train users
ISO17799:
• -
ITIL:
• -
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
DS8 – Manage service desk and incidents
ISO17799:
• Information security incident management
ITIL:
• Incident management
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
DS9 – Manage configuration
ISO17799:
• -
ITIL:
• Configuration management
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
DS10 – Manage problems
ISO17799:
• -
ITIL:
• Problem management
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
DS11 – Manage data
ISO17799:
• Communications and operations management (backups)
ITIL:
• Availability management
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
DS12 – Manage physical environment
ISO17799:
• Physical and environmental security
ITIL:
• -
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
DS13 – Manage operations
ISO17799:
• Communication and operations management (operations)
ITIL:
• -
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
ME1 – Monitor and evaluate IT performance
ISO17799:
• -
ITIL:
• -
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
ME2 – Monitor and evaluate internal control
ISO17799:
• Compliance (audit)
ITIL:
• -
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
ME3 – Ensure regulatory compliance
ISO17799:
• Compliance (standards)
ITIL:
• -
Key:
Strong relationship Weak relationship No relationship
Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL
COBIT:
ME4 – Provide IT governance
ISO17799:
• -
ITIL:
• -
Key:
Strong relationship Weak relationship No relationship
Case StudyCase Study
Key:
Maturity level≥ 3
Maturity level2 – 2.9
Maturity level≤ 1.9
0 Non-Existent: No processes
1 Initial: Processes are ad hoc
2 Repeatable: Processes are regular
3 Defined: Processes are repeatable, as well as documented and communicated
4 Managed: Processes are defined, as well as measured and monitored
5 Optimized: Processes are managed, and best practices are followed and
automated
Case StudyCase Study
Acquire &Implement
Deliver &Support
Monitor & Evaluate
Plan &Organize
DefineStrategicIT Plan
Define Information Architecture
Manage Quality
Determine Technological
Direction
Define IT Processes,
Organization, Relationships
Manage IT Investment
Communicate Management
Aims & Direction
Manage IT Human
Resources
Manage ProjectsAssess & Manage IT Risks
Identify Automated Solutions
Acquire & Maintain
Application Software
Acquire & Maintain
Technology infrastructure
Enable Operation
& Use
Procure IT Resources Manage Changes
Define & Manage Service
Level
Ensure Continuous
Service
Educate & Train Users
Manage Third-party Services
Manage Performance &
Capacity
Ensure System Security
Identify & Allocate Costs
Manage Service Desk & Incidents
Manage Configuration
Monitor & Evaluate IT Performance
Monitor & Evaluate Internal
Control
Ensure Regulatory compliance
Install & Accredit
Solutions & Changes
Manage Problems Manage Data Manage Physical
EnvironmentProvide IT
Governance
Manage Operations
Case StudyCase Study
Acquire &Implement
Deliver &Support
Monitor & Evaluate
Plan &Organize
DefineStrategicIT Plan
Define Information Architecture
Manage Quality
Determine Technological
Direction
Define IT Processes,
Organization, Relationships
Manage IT Investment
Communicate Management
Aims & Direction
Manage IT Human
Resources
Manage ProjectsAssess & Manage IT Risks
Identify Automated Solutions
Acquire & Maintain
Application Software
Acquire & Maintain
Technology infrastructure
Enable Operation
& Use
Procure IT Resources Manage Changes
Define & Manage Service
Level
Ensure Continuous
Service
Educate & Train Users
Manage Third-party Services
Manage Performance &
Capacity
Ensure System Security
Identify & Allocate Costs
Manage Service Desk & Incidents
Manage Configuration
Monitor & Evaluate IT Performance
Monitor & Evaluate Internal
Control
Ensure Regulatory compliance
Install & Accredit
Solutions & Changes
Manage Problems Manage Data Manage Physical
EnvironmentProvide IT
Governance
Manage Operations
Case StudyCase Study
ConclusionConclusion
More dependent upon information systems that support their
business critical functions
Challenge of ensuring confidentially, integrity and availability of
these information systems, as well as protecting related technology
infrastructure
Due to increasingly more complex environments and demanding
expectations of management, organizations are using number of
international standards to achieve international best practice related
to IT governance
ConclusionConclusion
Assess Design Implement
Present Future
Roadmap
Top Related