ITIL, COBIT, And ISO: Overlap Or Complement?by Jean-Pierre Garbaniwith Laura Koetzle and Thomas PowellEXECUTIVE SUMMARYPressures to decrease cost, increase reliability, and comply with local regulations conspire to make it harder than ever for IT to deliver business services efficiently. We are fast approaching the stage of ITs evolution at which innovation must translate into overall process improvements, as it did in the mainframe world 20 years ago. This quest for process improvement is the root cause of a universal interest in best practices and in frameworks such as IT Infrastructure Library (ITIL), International Organization for Standardization (ISO), and control objectives for information and related technology (COBIT). Looking at these frameworks, we find that they are mainly complementary, but they lack directly actionable recommendations, which makes them excellent guides and checklists rather than implementation blueprints.RESEARCH CATALYSTClients selected this topic for Client Choice research.THE QUEST FOR BEST PRACTICES HAS BEGUN IN EARNEST . . .All industries mature in stages. First, innovation improves technology to a point of real usability. Then innovation fuels a constant process improvement of the way that products get built and used. Process improvement leads directly to considerable cost reduction and widespread adoption of the technology. IT follows this same pattern of constant process improvement aimed at reducing costs: The mainframes heyday saw continuous improvement. Application development and operational processes reached a maturity that led directly to widespread adoption of IT as a business tool.The early days of distributed systems focused first on development. Since 1990, firms have put considerable effort into improving the development of applications. This translated first into Computer Aided Software Engineering (CASE), Capability Maturity Model (CMM), and ISO, and then into development tools that considerably reduce development costs.The past two years have shown the focus shift towards IT operations. Service-level management (SLM), business-service management (BSM), and many technologies that have appeared during the past three years translate into products and best practices aimed at making IT service performance more predictable and at reducing the overall cost of IT operations.. . . AND WITH GOOD REASON SCOPE AND COMPLEXITY KEEP GROWINGThe constant decrease in hardware and software costs means that firms can afford more IT, which makes improving IT operational processes even more important:The scope of digital applications increases continuously. Firms can now afford to automate applications that would have been prohibitively expensive to tackle just five years ago. These applications, with a lower cost structure, require lower operational costs to maintain a positive return on investment. The complexity of new applications increases continuously. The process improvements in application development coupled with the possibility of ubiquitous access to these applications as in Web services make relying on human analytical capabilities, as IT operations used to, impractical if not downright impossible.Thus, its only logical that best operational practices frameworks such as ISO, ITIL, and COBIT have become popular with IT operations. Here are the questions we must answer: 1) What are these frameworks? 2) To which operational processes do they apply? and 3) Should you use them together or separately?ISO, ITIL, And COBIT: What You Need To KnowThe three different best practices frameworks cover different domains:ISO 17799. This international standard of which International Organization for Standardization\/International Electrotechnical Commission (ISO\/IEC) released a revised version in June 2005 aims to improve the practices and organizations around information security. It defines a global approach to security management that touches the responsibilities and organizations responsible for security as well as the policies, critical asset classification, and risk management. It is best used when security certification and overall definition of all security processes logical and physical is needed and basic rules for security defined.ITIL. Originally created by the UK government, ITIL summarizes best practices for the implementation of IT management processes. ITIL defines the processes to be implemented to deliver and support IT services (most of the time, IT services today equal applications) focusing on the business (ITs customer). The ITIL philosophy revolves around the service desk as a communication platform and the configuration management database (CMDB).COBIT. COBIT compiles an up-to-date international set of generally accepted control objectives for day-to-day use by business managers and IT managers. It addresses IT governance and the key performance indicators associated with process improvement. At first glance, COBIT seems to overlap considerably with ITIL, but COBIT has clearly been influenced by problems raised by the insurance industry. Mergers and acquisitions, unification of processes, outsourcing and audits are main chapters of the COBIT framework.Here are the strengths and weaknesses of each:ISO 17999 provides security controls. It does not provide implementation guidance and does not specifically address how these processes fit into the overall IT management processes.ITIL is strong on delivery and support processes. It describes how to structure operational processes but is weak on security controls and processes.COBIT is focused on controls and metrics. It also lacks a security component but provides a more global view of IT processes at the IT organization management principles than ITIL.ISO, ITIL, And COBIT: Complementary Or Overlapping?Looking at these three frameworks, we reach the conclusion that they do in fact complement each other: you can supplement the IT operational process strengths of ITIL with the critical success factors (CSF) and key performance indicators (KPI) of COBIT, and both can make good use of the security processes and controls defined in ISO. Examples of complementary elements between ITIL Service Support, COBIT, and ISO are:Incident management. Defined as an ITIL service support process, it has an ISO complement in case of security incidents as well as a COBIT delivery and support chapter.Problem management. The COBIT delivery and support chapter defines incident and problem management processes that complement the ITIL problem management process.Change, configuration, and release management. These ITIL processes have a direct complement in COBITs change management and configuration changes as well as in ISOs operational change control, controls against viruses, and third-party security requirements.COBIT and ISO also provide guidance, key indicators, and controls for the definition of service-level agreements, capacity planning, availability management, and business continuity, which complement ITIL service delivery processes.RECOMMENDATIONSDEFINE COMPLETE OPERATIONAL PROCESSES THROUGH MULTIPLE INPUTSToday, Forrester estimates that 30% of $1 billion-plus companies are experimenting with ITIL and between 12% and 13% have implemented ITIL. However, ITIL is relatively weak in security controls and weaker yet in metrics and outsourcing, two areas where ISO and COBIT shine. We believe that:Process improvement is not a choice. The evolution of IT is such that both complexity and cost containment will exert continuous pressure on IT operations and make best practices the only answer available to organizations.ITIL, COBIT, and ISO are good sources of inspiration. When it comes to process improvements, the tried and true is difficult to beat. But a single source of information may not be enough. Combining elements of at least these three major frameworks will broaden the scope of the resulting process and improve its quality.People and organizations will resist change. This leaves two choices: 1) be very dogmatic about the ITIL, COBIT, and ISO recommendations or 2) use them as a reference to define the best possible solution that fits the current organization. CASE, CMM, and ISO 9000 used a very sectarian implementation approach 15 years ago that mostly failed. A consensus and educated approach must be favored over the creation of process police.Certification may be useful but not necessary. Certification brings expertise to an organization that you can use to design or overhaul processes. However, if your company tends to reject the creation of elitist groups, skip certification its not mandatory. Building a widely accessible reference library and educating the organization through process champions and advocates may provide better results.