In Depth

Alphabet Soup: Cobit, ITIL and ISO

Expert says ITIL plays well with others

By Malcolm Wheatley

February 01, 2006 — Cape Town, South Africa-based Gary Hardy is coauthor of "Aligning Cobit, ITIL and ISO 17799 for Business Benefit: A Management Summary," which was jointly published by the IT Governance Institute and the U.K. Office of Government Commerce (the "owners" of ITIL). Hardy is an adviser to both the IT Governance Institute and the Information Systems Audit and Control Association (ISACA), having been a member of the latter for more than 25 years.

CSO: How do Cobit and ITIL differ?

Gary Hardy: Cobit [control objectives for information and related technology], which as of November 2005 is now in its fourth release, is a high-level set of objectives with management and assurance tools for overall IT governance. People call it a standard, but it isn't: It's a framework—and, like ITIL, a set of best practices. ITIL, on the other hand, is mostly focused on service delivery and service management, and on the delivery of IT services in terms of the processes that should be followed. In plain English, people say that Cobit is what you should do, and ITIL is how you should go about doing it—accepting that ITIL has a narrower scope.

How would you describe ITIL's approach to security issues?

ITIL talks about security, but mostly in the context of service delivery. Frankly, security isn't really what ITIL is focused on, it's not its core strength, and it's not what people go to ITIL for.

And Cobit?

Cobit has always been security-oriented, and at a high level sets out what should be done about security—the things that security should focus on, in other words. It provides a set of objectives and guiding principles. More recently, a "Cobit security baseline" has supplemented this—it's an assessment tool, freely downloadable from ISACA (www.isaca.org).

Other stories by Malcolm Wheatley

Gary Hardy

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors