In today’s highly connected world, information technology (IT) has matured into an indispensable component of any successful enterprise. Large sums of money are being spent by businesses around the world to acquire IT capabilities in order to improve operational efficiency and product quality, manage business risk, and increase information security. There is no denying the importance of IT in increasing a company’s bottom line. Board-level risk management and governance operations for IT are required due to the strategic benefits and risks associated with IT investments, as well as the new regulatory environment (Raodeo, 2012). As such, IT governance paves the way for smarter decisions to be made by management with regards to IT initiatives and investments.

Organizational governance establishes appropriate and transparent high-level objectives and policies to protect all stakeholders (Unesco, 2022). A company’s ability to establish and meet business objectives, identify, respond to threats, and achieve its full potential are all influenced by its governance system. Given information technology’s crucial role in every organization, Information Technology (IT) has evolved from a transaction support function to a competitive advantage generator for businesses. The flexibility to quickly detect and react to market conditions and compete effectively within the volatile and ever-changing business environment are some critical aspects IT helps companies to achieve. IT governance, a subset of enterprise governance, refers to the leadership and organizational structures and processes that ensure IT supports and extends the strategy and objectives of the organization (Mangalaraj et al., 2014).

Governance Frameworks and Components.

Establishing appropriate and high-level objectives, policies, and business strategy requires using a governance framework. COBIT, ITIL, and ISO 17799 are governance frameworks (Symons, 2005) that various organizations could use to customize and design their governance framework that will guide and direct the visions and strategic objectives of the organization. Thus, effective IT governance requires a structure built on the three pillars of design, processes, and communication (Raodeo, 2012).

Control Objectives for Information and Related Technologies (COBIT)

In 1996, ISACA developed the Control Objectives for Information and Related Technologies (COBIT) framework. COBIT, now in its fifth version, is a framework for managing information technology; it lays forth metrics for measuring progress toward goals and the success of existing initiatives. COBIT has evolved from COBIT 1 to COBIT 5 since its creation in 1996. The new COBIT 5 framework is an improvement over its predecessor in that it takes into account a wider variety of significant frameworks, standards, and resources in order to give businesses a more complete picture of how to manage their information technology. (ISACA, 2012). This is in recognition of the critical role that IT plays in generating value for businesses. COBIT 5 is the culmination of years of work by industry leaders, IT, and governance professionals worldwide. It reflects their collective wisdom in its guiding principles, practices, analytical tools, and models. COBIT 5 is complementary to other essential frameworks and standards like ITIL and ISO (ISACA, 2012).

The core of COBIT 5 is comprised of the following five principles: prioritize stakeholder needs, implement a clear strategy, use an unified framework, decouple management and governance, and provide enterprise-wide coverage. (ISACA, 2012). The COBIT 5 product family consists of the framework itself; enabler guides (enabling processes and information), professional guides (COBIT 5 Implementation, Information Security, Assurance, Risk), and a collaborative online environment (COBIT 5 Community) for implementing and using COBIT 5 (Mangalaraj et al., 2014). These foundational tenets are developed further within the COBIT framework through the use of the following enablers: 1) principles, policies, and frameworks; 2) processes; 3) organizational structures; 4) culture, ethics, and behavior; 5) information; 6) services, infrastructure, and applications; and 7) people, skills, and competencies. (ISACA, 2012).

The Information Technology Infrastructure Library (ITIL)

 ITIL is a process-oriented governance framework used to determine the optimum methods for managing IT services by focusing on service management (Symons, 2005). ITIL is a collection of guidelines for managing IT services to meet business needs. it uses a methodical approach to help businesses manage risk, enhance customer relationships, boost productivity, and create a scalable IT infrastructure framework (Simplilearn, 2022). ITIL’s service lifecycle consists of five phases; service strategy, service design, service transition, service operation, and continual service improvement (Simplilearn, 2022):

  • Service Strategy elaborates on processes in financial management, service portfolio management, demand management, and strategy operations.
  • Service Design focuses on processes in service level management, availability management, capacity management, continuity management, information security management, service catalog management, and supplier management.
  • Service Transition deals with change management, asset and configuration management, release and deployment management, transition, planning and support, service validation and testing, evaluation, and knowledge management processes.
  • Service Operation aligns with the service desk, technical, application, and IT operations management functions. This stage of the ITIL lifecycle also elaborates on processes that include; incident management, problem management, access management, event management, and request fulfillment.
  • Continual service improvement deals with step process improvement.
The International Organization for Standardization (ISO) 17799

In this modern era, information technology professionals have to deal with a growing number of internal and external risks to the reliability and security of information systems, all while ensuring that users can continue to gain access to vital databases and other data. ISO 17799 provides a framework for businesses to follow when developing information security policies and procedures, allocating responsibilities, documenting daily operations, planning for incident and business continuity management, and ensuring compliance with legal requirements and audit controls (Myler & Broadbent, 2006). As the third main governance framework, ISO 17799 was created by the International Organization for Standardization. The goal of the ISO 17799 standard is to help businesses strengthen their IT security programs (Symons, 2005).

Eleven separate security control clauses make up this ISO framework. Each clause has 39 primary security classifications, each with a corresponding control aim and a set of measures designed to implement that objective (Myler & Broadbent, 2006). The eleven clauses of the ISO 17799 include; 1) Security policy, 2) organizational information security, 3) asset management and control, 4) human resource security, 5) physical and environmental security, 6) communications and operations management, 7) access control, 8) information systems acquisition,  development, and maintenance, 9) information security incident management, 10) business continuity management and 11) compliance (Saint-Germain, 2005).

Differences and Similarities Between COBIT, ITIL, and ISO17799

Characteristic

COBIT

ITIL

ISO 17799

Definition

Enterprise information technology governance and management framework.

A collection of guidelines for improving IT service delivery.

An international standard for IT security management.

Main Objective

Providing maturity models, critical success factors, key goal indicators, and key performance indicators for IT administration

Process-oriented and aims to determine the optimum methods for managing IT services

Provides the most Internationally recognized and comprehensive approach to security management.

Key principles

COBIT is built on 5 core principles and enablers

ITIL is based on a 5-phase lifecycle.

ISO 17799 revolves around eleven security control clauses.

Implementation

COBIT framework can be customized to suit the IT needs of any organization.

ITIL framework can be adapted to suit the IT service needs of any organization.

ISO 17799 can be adapted to suit the information security needs of an organization

Scope

COBIT provides a holistic perspective on the management of enterprise IT.

ITIL focuses on IT service management

ISO 17799 focuses on security management.

Complements

COBIT complements ITIL and ISO 17799 and serves a broader audience.

ITIL is more focused on IT service management.

ISO 17799 is focused on IT security management.

Uses

COBIT provides guidance for the governance of enterprise IT.

ITIL help defines operational IT service management processes.

Proves a company’s IT is secure according to industry standards.

Which Governance Framework is the Best?

Governance frameworks help organizations effectively establish appropriate high-level objectives, policies, and business strategies. Based on the description and components of the COBIT, ITIL, and ISO 17799 frameworks, it is evident that they are not mutually exclusive as no single framework is an entirely exhaustive option (Arora, 2010). For instance, COBIT encompasses some aspects of ITIL and ISO 17799 though not in-depth. However, choosing which framework is best and appropriate for enterprise governance, information security, and regulatory compliance is subjective and depends on many factors. These factors include the framework’s alignment with the organization’s goals and objectives, regulatory compliance, industry in which the business operates, size of the company, and relationships with other organizations that adhere to common standards, amongst others (Arora, 2010). ITIL is concerned with service management, while COBIT is focused on auditing and controls. Since the two models are more complementary than competitive, the various component could be incorporated to build a unified system of governance(Symons, 2005).

References

Arora, V. (2010). Comparing different information security standards: COBIT vs. ISO 27001. Qatar: Carnegia Mellon University. https://varunarora.com/assets/iso27001-vs-cobit/paper.pdf   

ISACA. (2012). COBIT 5. ISACA. https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004KoCDEA0          

Mangalaraj, G., Singh, A., & Taneja, A. (2014). IT governance frameworks and COBIT-a literature review. https://core.ac.uk/download/pdf/301361993.pdf      

Myler, E., & Broadbent, G. (2006). ISO 17799: Standard for Security. Information Management Journal, 40(6), 43-44,46,48-52.           

Raodeo, V. (2012). IT strategy and governance: Frameworks and best practice. International Journal of Research in Economics & Social Sciences, 2(3), 49-59.       

Saint-Germain, R. (2005). Information Security Management Best Practice Based on ISO/IEC 17799. Information Management Journal, 39(4), 60-66.      

Simplilearn. (2022). An Overview of ITIL Concepts and Summary Process. Simplilearn. https://www.simplilearn.com/itil-key-concepts-and-summary-article#itil_framework        

Symons, C. (2005). IT governance framework. FOrrester research. https://core.ac.uk/download/pdf/301361993.pdf      

Unesco. (2022). Concept of Governance. International Bureau of Education. http://www.ibe.unesco.org/en/geqaf/technical-notes/concept-governance   

Website | + posts