Comparison between COBIT, ITIL and ISO 27001
Many friend of mine keep asking me about what is should be implemented first to improve their information system management: whether taking Cobit, ITIL, or ISO27001. And the next question usually which one is the easiest to be implemented in their company.
To be able to answer this question, let me tell you the definition of this three major standard in information system, who has a little bit difference in basic concept.
COBIT
Cobit is stand for Control Objective over Information and Related Technology. Cobit issued by ISACA (Information System Control Standard) a non profit organization for IT Governance. The Cobit main function is to help the company, mapping their IT process to ISACA best practices standard. Cobit usually choosen by the company who performing information system audit, whether related to financial audit or general IT audit.
ITIL
ITIL is stand for Information Technology Library. ITIL issued by OGC, is a set of framework for managing IT Service Level. Although ITIL is quite similar with COBIT in many ways, but the basic difference is Cobit set the standard by seeing the process based and risk, and in the other hand ITIL set the standard from basic IT service.
ISO27001
ISO27001 is much more different between COBIT and ITIL, because ISO27001 is a security standard, so it has smaller but deeper domain compare to COBIT and ITIL.
Here is the detail table of comparison between this three standard
| AREA | COBIT | ITIL | ISO27001 |
| Function | Mapping IT Process | Mapping IT Service Level Management | Information Security Framework |
| Area | 4 Process and 34 Domain | 9 Process | 10 Domain |
| Issuer | ISACA | OGC | ISO Board |
| Implementation | Information System Audit | Manage Service Level | Compliance to security standard |
| Consultant | Accounting Firm, IT Consulting Firm | IT Consulting firm | IT Consulting firm, Security Firm, Network Consultant |
What should be implemented first?
There's no exact answer about this question, but i think its really depend on your company and your requirement. Most of company start to implemented Cobit first because its cover general information system. And after that they usually choose between ITIL or ISO27001.
Another consideration is about budget and authoritive. Cobit implementation usually run from internal audit budget and ITIL or ISO27001 usually performed using IT departement budget. This consideration usually makes what kind of standard to implemented first become depend on management policy.
What is the easiest standard?
From the implementatation view, ITIL is the easiest standard to be implemented. Because, ITIL could be implemented partially and still not have impact on performance. Example, if IT departement lack of budget and he could choose to implement IT Service Delivery layer only, and the next year he will try to implement IT Release Management or IT Problem Management.<
However COBIT and ISO27001 is quite difficult to be implemented partially, since it should see a process in bigger view first before they could implemented partially.
How to choose the right vendor?
Many vendor said that he could help your company to implement these standard effectively, in fact there is no one solution for all. Usually the COBIT vendor come from Publci Accounting Firm who has an IT Audit arm, eg PWC, DTT, KPMG, EY. This type of vendor is best choice for COBIT since they also work for COBIT implementation derivative such as COBIT for Sarbanes Oxley.
The other standard ITIL and ISO27001 usually come from General IT Consulting Company, eg. IBM, Accenture. And for ISO27001 most of IT networking company also could offer this standard consultation.
Do you have any other opinion with this comparison?
Others referrence:
ISACA: Aligning COBIT, ITIL and ISO 17799 for Business Benefit
Download Hundreds of Complimentary Industry Resources
Get hundreds of popular Industry magazines, white papers, webinars, podcasts, and more; all available at no cost to you. With more than 600 complimentary offers, you'll find plenty of titles to suit your professional interests and needs. Click Here and Sign up today!
Trackback URL for this post:
- Add new comment
- 54339 reads
I believe CoBIT has 4
I believe CoBIT has 4 domains and 34 processes (not 4 processes and 34 domains as shown in the table).
Comparison between COBIT, ITIL and ISO 27001
To whoever wrote this: Thank you very much for the information. I really appreciate it. Some people here question your accuracy and criticize your command of the English language, but I believe you deserve an "A" for effort. Please don't let the criticism and complaints bother you. You should pity those people. It's not their fault. They can't help it if their partents didn't care enough about them to raise them properly before sending them out into the world.
WHAT??
Who wrote this, and why is it published?? First, either check your grammar, or get proper translation; it is painful to read an article so badly written.
Second, so many of your facts are wrong or mistaken, I couldn't get past three paragraphs!... I do hope that those of you out there who are reading this, will go back and do further research, as you will be sadly mistaken if you take this as your only source.
Sorry for the harshness, the content intention was good, but the delivery left much to be desired...
Your harshness
If you think it is so badly written, why don't you update it yourself!
The author just tried to be friendly to others.
Aphorism
Девочка Таня, гуляя по тонкому льду, обнаружила, что лёд сверху ломается гораздо легче, чем снизу...
Новые фотоаппараты Kodak специально для России, теперь к эффекту устранения красных глаз добавлен эффект устранения красного носа.
Водка чрезвычайно полезный для смерти напиток.
Уверенная на вид победа, при ближайшем рассмотрении, может оказаться робким поражением.
Новая акция от Чупа Чупс: собери 20 оберток от конфет Чупа Чупс - и выиграй автомобиль...
Чупа Чупс - насоси на тачку!
ISO 27002
I recommend ISO27002 as a very practical standard for implementing a customised information security management system.
When implementing you have think in terms of deliveables:
-Information Security Policy,
-Information Security Plan,
-Business Continuity Plan,
-Risk management tool,
-Access matrices,
-Security Organsation (Roles),
et cetera.
First identify of the IS items that are beneficial to your business.
Then develop the items, using best practices and input from key players.
Easy does it, lean, agile and solid.
Good luck.
Michel
Comparison between COBIT, ITIL and ISO 27001
Hi ,
About our company's information technology risk assessment , business continuity and disater recovery software
You can contact us for more information and to buy your product.
info@3myazilim.com
www.3myazilim.com
BS25999 ,COBIT,ISO27001 etc.. consulting and software..
IT Risk Assessment Templates, this template is created using NIST-SP 800:30 standard for Risk Management Guide for Information Technology Systems.
Covering some basic process during IT Risk Assessment that include: System Characterization, Threat Identification Vulnerability Identification, Control Analysis, Likelihood Determination, Impact Analysis, Risk Determination, Control Recommendations, Results Documentation ,Business continuity ,Disater recovery ,Business impact analysis
WHAT?
WHAT?
ISO27001
How to implement,
what are the policies and procedure of iso27001?
English or what ...
Your command of the English language is disgusting.