Alphabet Soup: Cobit, ITIL and ISO

Cape Town, South Africa-based Gary Hardy is coauthor of “Aligning Cobit, ITIL and ISO 17799 for Business Benefit: A Management Summary,” which was jointly published by the IT Governance Institute and the U.K. Office of Government Commerce (the “owners” of ITIL). Hardy is an adviser to both the IT Governance Institute and the Information Systems Audit and Control Association (ISACA), having been a member of the latter for more than 25 years.

CSO: How do Cobit and ITIL differ?

Gary Hardy: Cobit [control objectives for information and related technology], which as of November 2005 is now in its fourth release, is a high-level set of objectives with management and assurance tools for overall IT governance. People call it a standard, but it isn’t: It’s a framework—and, like ITIL, a set of best practices. ITIL, on the other hand, is mostly focused on service delivery and service management, and on the delivery of IT services in terms of the processes that should be followed. In plain English, people say that Cobit is what you should do, and ITIL is how you should go about doing it—accepting that ITIL has a narrower scope.

How would you describe ITIL’s approach to security issues?

ITIL talks about security, but mostly in the context of service delivery. Frankly, security isn’t really what ITIL is focused on, it’s not its core strength, and it’s not what people go to ITIL for.

And Cobit?

Cobit has always been security-oriented, and at a high level sets out what should be done about security—the things that security should focus on, in other words. It provides a set of objectives and guiding principles. More recently, a “Cobit security baseline” has supplemented this—it’s an assessment tool, freely downloadable from ISACA (www.isaca.org).