In Depth
Alphabet Soup: Cobit, ITIL and ISO
Expert says ITIL plays well with others
By Malcolm Wheatley
February 01, 2006 — Cape Town, South Africa-based Gary Hardy is coauthor of "Aligning Cobit, ITIL and ISO 17799 for Business Benefit: A Management Summary," which was jointly published by the IT Governance Institute and the U.K. Office of Government Commerce (the "owners" of ITIL). Hardy is an adviser to both the IT Governance Institute and the Information Systems Audit and Control Association (ISACA), having been a member of the latter for more than 25 years.
CSO: How do Cobit and ITIL differ?
Gary Hardy: Cobit [control objectives for information and related technology], which as of November 2005 is now in its fourth release, is a high-level set of objectives with management and assurance tools for overall IT governance. People call it a standard, but it isn't: It's a frameworkand, like ITIL, a set of best practices. ITIL, on the other hand, is mostly focused on service delivery and service management, and on the delivery of IT services in terms of the processes that should be followed. In plain English, people say that Cobit is what you should do, and ITIL is how you should go about doing itaccepting that ITIL has a narrower scope.
How would you describe ITIL's approach to security issues?
ITIL talks about security, but mostly in the context of service delivery. Frankly, security isn't really what ITIL is focused on, it's not its core strength, and it's not what people go to ITIL for.
And Cobit?
Cobit has always been security-oriented, and at a high level sets out what should be done about securitythe things that security should focus on, in other words. It provides a set of objectives and guiding principles. More recently, a "Cobit security baseline" has supplemented thisit's an assessment tool, freely downloadable from ISACA (www.isaca.org).
Other stories by Malcolm Wheatley
Data Center Directions Virtual Conference
Attend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.
The Surest Path to Effective and Efficient Compliance
In this webcast, we explore why and how with best practices, practical tips and solutions that work to ease your compliance challenge.




