COBIT
The COBIT framework is published by the IT
Governance Institute and the Information Systems Audit and Control Association
(ISACA). The goal of the framework is to provide a common language for business
executives to communicate with each other about goals, objectives and results.
The original version, published in 1996, focused largely on auditing. The
latest version, published in 2013, emphasizes the value that information governance can provide to a business' success. It
also provides quite a bit of advice about enterprise risk management.
The name COBIT originally stood for
"Control Objectives for Information and Related Technology," but the
spelled-out version of the name was dropped in favor of the acronym in the
fifth iteration of the framework.
COBIT 5 is based on five key principles for
governance and management of enterprise IT:
Principle
1: Meeting Stakeholder Needs
Principle 2: Covering the Enterprise End-to-End
Principle 3: Applying a Single, Integrated Framework
Principle 4: Enabling a Holistic Approach
Principle 5: Separating Governance From Management
Principle 2: Covering the Enterprise End-to-End
Principle 3: Applying a Single, Integrated Framework
Principle 4: Enabling a Holistic Approach
Principle 5: Separating Governance From Management
ITIL
The
ITIL (Information Technology Infrastructure Library) framework is designed to
standardize the selection, planning, delivery and support of IT services to a
business. The goal is to improve efficiency and achieve predictable service levels.
The ITIL framework enables IT to be a business service
partner, rather than just back-end support. ITIL guidelines and best practices align IT actions and expenses to business needs and
change them as the business grows or shifts direction.
ITIL traces its roots back to the 1980s as data
centers began
decentralizing and adopting more distributed or geographically diverse
architectures. This flexibility led to unwanted differences in processes and
deployments, creating inconsistent or suboptimal performance. The United Kingdom's
government recognized the importance of perceiving IT as a service and then
applying consistent practices across the entire IT service lifecycle, and
initiated ITIL.
ITIL encompasses a framework of five core
publications or ITIL books, which are periodically reviewed and updated as
technologies change. Each book collects best practices for each major phase of the IT service lifecycle. ITIL Service
Strategy explains business goals and customer requirements. ITIL Service Design
shows how to move strategies into plans that help the business. ITIL Service
Transition shows how to introduce services into the environment. ITIL Service
Operation explains how to manage the IT services. ITIL Continual Service
Improvement helps adopters evaluate and plan large and small improvements to IT
services.
ITIL-based IT infrastructure management can be a complex specialty for any
business, and is often the domain of the largest IT-centric businesses such as Microsoft, Hewlett-Packard and IBM,
along with other major enterprises in retail, finance, pharmaceuticals,
entertainment and manufacturing. ITIL adoption and maintenance normally
requires trained and certified experts to guide a company and its IT staff.
ISO27001
ISO
27001 Information Security Management Systems is the international best practice
standard for information security. ISO 27001:2013, the current version of the
standard, provides a set of standardised requirements for an information
security management system (ISMS). ISO 27001 certification is suitable for any
organisation, large or small and in any sector. The standard is
especially suitable where the protection of information is critical, such as in
the banking, financial, health, public and IT sectors. The standard is also
very applicable for organisations which manage high volumes of data, or
information on behalf of other organisations such as datacentres and IT out
sourcing companies.
Protecting your organisations information is critical
for the successful management and smooth operation of your organization.
Completing ISO/IEC 27001 information security management systems certification
will aid your organisation in managing and protecting your valuable data and
information assets.
By achieving certification to ISO 27001 your
organisation will be able to reap numerous and consistent benefits.
Some of the benefits of ISO 27001 are:
·
Keeps confidential information secure
·
Provides customers and stakeholders with confidence in
how you manage risk
·
Allows for secure exchange of information
·
Allows you to ensure you are meeting your legal
obligations
·
Helps you to comply with other regulations (e.g. SOX)
·
Provide you with a competitive advantage
·
Enhanced customer satisfaction that improves client
retention
·
Consistency in the delivery of your service or product
·
Manages and minimises risk exposure
·
Builds a culture of security
·
Protects the company, assets, shareholders and
directors
What should be implemented first?
Most of company start to
implemented Cobit first because its cover general information system. And after
that they usually choose between ITIL or ISO27001.
Another consideration is
about budget and authoritive. Cobit implementation usually run from internal
audit budget and ITIL or ISO27001 usually performed using IT departement
budget. This consideration usually makes what kind of standard to implemented
first become depend on management policy.
What is the easiest standard?
From the
implementatation view, ITIL is the easiest standard to be implemented. Because,
ITIL could be implemented partially and still not have impact on performance.
Example, if IT departement lack of budget and he could choose to implement IT
Service Delivery layer only, and the next year he will try to implement IT
Release Management or IT Problem Management.
However COBIT and
ISO27001 is quite difficult to be implemented partially, since it should see a
process in bigger view first before they could implemented partially.
How to choose the right vendor?
Many vendor said that he
could help your company to implement these standard effectively, in fact there
is no one solution for all. Usually the COBIT vendor come from Publci
Accounting Firm. This type of vendor is best choice for COBIT since they also
work for COBIT implementation derivative such as COBIT for Sarbanes Oxley.
|
AREA
|
COBIT
|
ITIL
|
ISO27001
|
|
Function
|
Mapping IT Process
|
Mapping IT Service Level Management
|
Information Security Framework
|
|
Area
|
4 Process and 34 Domain
|
9 Process
|
10 Domain
|
|
Issuer
|
ISACA
|
OGC
|
ISO Board
|
|
Implementation
|
Information System Audit
|
Manage Service Level
|
Compliance to security standard
|
|
Consultant
|
Accounting Firm, IT Consulting Firm
|
IT Consulting firm
|
IT Consulting firm, Security Firm, Network Consultant
|
