Windows IT management tip

How BS7799 and COBIT differ, part two

Continued from part one

COBIT

Control Objectives for Information and related Technology (COBIT) was created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI). It is a framework that outlines information technology control objectives to ensure that technology is properly governed and that it maps and supports business processes. COBIT is process oriented but IT driven, which means that it focuses on the success of business processes through the proper use of IT resources.

COBIT has been used mainly by the IT industry and in 1998 Management Guidelines were added, which expanded its relevance and use to today's business needs. It contains four domains, 34 processes, 318 control objectives, and close to 1,600 control practices. The four domains are groupings of processes that map to the following organizational responsibilities:

  • Planning and Organization
  • Acquisition and Implementation
  • Delivery and Support
  • Monitoring
Each domain has a list of processes that should be followed, for example under the plan and organize domain the following processes are provided:
  • Define a strategic IT plan
  • Define the information architecture
  • Determine the technological direction
  • Define the IT organisation and relationships
  • Manage the IT investment
  • Communicate management aims and direction
  • Manage human resources
  • Ensure compliance with external requirements
  • Assess risks
  • Manage projects
  • Manage quality
The IT resources addressed in COBIT are data, application systems, technology, facilities and people. COBIT provides performance metrics to measure control effectiveness, necessary success factors for each IT process, and maturity models to allow for clear lines of continual improvement.

It is considered a true framework that allows for IT governance and is in its fourth edition. The main goal of COBIT is to accomplish business needs, through processes using IT resources in a controllable and measurable manner. It provides a criteria of key performance indicators (KPI) to evaluate the success of identified processes:

  • Effectiveness
  • Efficiency
  • Confidentiality
  • Integrity
  • Availability
  • Compliance
Information Technology Infrastructure Library (ITIL)

Although this framework was not asked about, it is an important component when comparing and contrasting current industry best practices. It is considered the de facto standard for IT service management and concentrates on how to provide consistent, documented, and repeatable processes to ensure quality.

None of these frameworks are in competition with each other, in fact, it is best if they are used together. Although they may seem at first to have overlaps, they do have distinct differences, pros and cons:

  • ISO 17799 outlines security controls, but does not focus on how to integrate them into business processes
  • ITIL focuses on IT processes, not on security
  • COBIT focuses on controls and metrics, not as much on security

So, a combination of all three is usually the best approach. COBIT can be used to determine if the company's needs (including security) are being properly supported by IT. ISO 17799 can be used to determine and improve upon the company's security posture. And ITIL can be used to improve IT processes to meet the company's goals (including security).

Resources:

Good places to start for COBIT
http://www.isaca.org/Template.cfm?Section=COBIT6&CONTENTID=22368&TEMPLATE=/ContentManagement/ContentDisplay.cfm
http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=55&ContentID=7981

ISO 17799
csrc.nist.gov/publications/ secpubs/otherpubs/reviso-faq.pdf

http://www.iso.org/iso/en/prods-services/popstds/informationsecurity.html

http://www.gammassl.co.uk/bs7799/works.html

Information Technology Infrastructure Library (ITIL)

http://www.itil.co.uk/ http://www.ogc.gov.uk/index.asp?id=2261

This was first published in November 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: