How BS7799 and COBIT differ, part two

This Ask the Expert Q&A, examines the origins of the ISO/IEC 17799 and COBIT security management standard, and discusses the differences between them.

Continued from part one


Control Objectives for Information and related Technology (COBIT) was created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI). It is a framework that outlines information technology control objectives to ensure that technology is properly governed and that it maps and supports business processes. COBIT is process oriented but IT driven, which means that it focuses on the success of business processes through the proper use of IT resources.

COBIT has been used mainly by the IT industry and in 1998 Management Guidelines were added, which expanded its relevance and use to today's business needs. It contains four domains, 34 processes, 318 control objectives, and close to 1,600 control practices. The four domains are groupings of processes that map to the following organizational responsibilities:

  • Planning and Organization
  • Acquisition and Implementation
  • Delivery and Support
  • Monitoring

Each domain has a list of processes that should be followed, for example under the plan and to organize domain the following processes are provided:

  • Define a strategic IT plan
  • Define the information architecture
  • Determine the technological direction
  • Define the IT organisation and relationships
  • Manage the IT investment
  • Communicate management aims and direction
  • Manage human resources
  • Ensure compliance with external requirements
  • Assess risks
  • Manage projects
  • Manage quality

The IT resources addressed in COBIT are data, application systems, technology, facilities and people. COBIT provides performance metrics to measure control effectiveness, necessary success factors for each IT process, and maturity models to allow for clear lines of continual improvement.

It is considered a true framework that allows for IT governance and is in its fourth edition. The main goal of COBIT is to accomplish business needs, through processes using IT resources in a controllable and measurable manner. It provides a criteria of key performance indicators (KPI) to evaluate the success of identified processes:

  • Effectiveness
  • Efficiency
  • Confidentiality
  • Integrity
  • Availability
  • Compliance

Information Technology Infrastructure Library (ITIL)

Although this framework was not asked about, it is an important component when comparing and contrasting current industry best practices. It is considered the de facto standard for IT service management and concentrates on how to provide consistent, documented, and repeatable processes to ensure quality.

None of these frameworks are in competition with each other, in fact, it is best if they are used together. Although they may seem at first to have overlaps, they do have distinct differences, pros and cons:

  • ISO 17799 outlines security controls, but does not focus on how to integrate them into business processes
  • ITIL focuses on IT processes, not on security
  • COBIT focuses on controls and metrics, not as much on security

So, a combination of all three is usually the best approach. COBIT can be used to determine if the company's needs (including security) are being properly supported by IT. ISO 17799 can be used to determine and improve upon the company's security posture. And ITIL can be used to improve IT processes to meet the company's goals (including security).


Good places to start for COBIT

ISO 17799 secpubs/otherpubs/reviso-faq.pdf

Information Technology Infrastructure Library (ITIL)

This was last published in November 2005

Dig Deeper on Security audit, compliance and standards

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.