Copyright 2007 ISACA. All rights reserved. www.isaca.org.

Interdependence of COBIT and ITIL

By Robert Fabian, Ph.D., I.S.P.
or years, the IT profession has been in search of practical and widely applicable best practice standards. The early IT best practices filled bookcases and were distinctly proprietary. The cost to purchase and use them was high, and benefits did not always follow useeven consistent and faithful use. By the 1990s, IT best practice standards had improved. The better standards abandoned the approach of describing how work was to be performed and concentrated on what results should be obtained. Much of the work done by the Institute of Electrical and Electronics Engineers (IEEE) followed this evolutionary path. These newer best practice standards were practical and widely applicable. IT Infrastructure Library (ITIL) is a reasonable example of a 21st century standard that offers practical and widely applicable best practices for IT service management. It has been widely embraced, with major outsourcing vendors promising ITIL conformity, and with a full suite of ITIL tools and consultants available. An important point needs to be made about the ITIL standard. In fact, there are three ITIL standards, and there may be a fourth. There are seven ITIL volumes in all. That library touches all aspects of IT, including, but not limited to, IT service delivery and support. It is a grand vision, but almost no one uses all seven volumes. When organizations say they have adopted the ITIL standard, they usually mean that they have in place the 10 processes and the service desk described in the Service Delivery and Service Support volumes. The only actual IT service management standard is BS 15000 from the British Standards Institute (or the equivalent ISO 20000 from the International Organization for Standardization). It is close to the 10 processes plus service desk model, but it adds requirements about managing relationships and security. A new version of the seven volumes is under development. One can only hope that this new version will follow the approach presented in BS 15000. The reality is that BS 15000 does not cover all IT best practices. For example, it is silent on development and acquisition best practices, and it does not present a balanced view of risk management. It covers IT service delivery and service support, but that is it.

Control Objectives for Information and related Technology (COBIT) began as a guide for IT auditors. It has evolved greatly since its first edition. The current version provides practical and widely applicable IT governance best practice standards. It can be used to supply the contextual framework that is missing from such standards as ITIL. The 34 COBIT processes cover all important processes within IT. COBIT can be used as an effective IT planning framework. It allows an IT shop to close in on the IT processes that are most important for that shop and its parent organization. A gap analysis can be developed directly from the COBIT process maturity models. COBIT gap analysis has been used to guide internal IT improvement plans in shops ranging from dozens to thousands of IT professionals. But COBIT offers little help in determining which specific best practices a shop should follow. It is useful in identifying the critical gaps, but offers minimal help in identifying the best practices that should be used to bridge those gaps. ITIL (or BS 15000) can be an excellent source of best practices to use for some of those gaps. One recent assignment saw a large IT organization identify 10 COBIT gaps that needed to be bridged. The operational gaps centered on risk management, change management, quality management and value management. ITIL could provide this client with useful best practices for managing operational changesa critical point where the rubber meets the road. But ITIL does not provide much help with risks, quality or value. COBIT and the new Val IT initiative are being used to guide selection of best practices in these other areas. ITIL is a proven and practical way to bridge the operational gaps that can be identified when using COBIT. COBIT adds the critical overall context missing from ITIL. ITIL adds the practical advice about operational details that are missing from COBIT. It is true interdependency. Robert Fabian, Ph.D., I.S.P. is a management and systems consultant based in Toronto, Ontario, Canada. He has more than 40 years of experience with IT methodologies and best practices, and is committed to helping his clients find best practices that deliver maximum value from IT. He can be reached at robert@fabian.ca.

Information Systems Control Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. Copyright 2007 by ISACA. All rights reserved. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org

JOURNALONLINE