SELIN BEYAZ

COBIT , ITIL , ISO 27001

COBIT

COBIT is stand for Control Objective over Information and Related Technology. Cobit issued by ISACA (Information System Control Standard) a non profit organization for IT Governance. The Cobit main function is to help the company, mapping their IT process to ISACA best practices standard. Cobit usually choosen by the company who performing information system audit, whether related to financial audit or general IT audit.

COBIT contains 34 IT processes, each with high-level control objectives (COs) and a set of detailed control objectives (DCOs). In total, there is a sum of 318 DCOs defined for these processes.

COBIT AND IT

COBIT^®provides guidance for executive management to govern IT within the enterprise

• More effective tools for IT to support business goals

• More transparent and predictable full life-cycle IT costs

• More timely and reliable information from IT

• Higher quality IT services and more successful projects

• More effective management of IT-related risks

• COBIT is often used at the highest level of IT governance

• It harmonises practices and standards such as
ITIL, ISO 27001 and 27002, and PMBOK

– Improves their alignment
to business needs

– Covers full spectrum of
IT-related activities

ITIL

The ITIL (Information Technology Infrastructure Library) framework is designed to standardize the selection, planning, delivery and support of IT services to a business. The goal is to improve efficiency and achieve predictable service levels. The ITIL framework enables IT to be a business service partner, rather than just back-end support. ITIL guidelines and best practices align IT actions and expenses to business needs and change them as the business grows or shifts direction.

The benefits of adopting ITIL can offer users improved IT services, improved customer satisfaction through a more professional approach to service delivery, improved productivity, improved use of skills and experience and improved delivery of third party services.

ITIL 2007 has five volumes, published in May 2007, and updated in July 2011 as ITIL 2011 for consistency:

1. ITIL Service Strategy: understands organizational objectives and customer needs.

2. ITIL Service Design: turns the service strategy into a plan for delivering the business objectives.

3. ITIL Service Transition: develops and improves capabilities for introducing new services into supported environments.

4. ITIL Service Operation: manages services in supported environments.

5. ITIL Continual Service Improvement: achieves services incremental and large-scale improvements.

ISO 27001

The ISO 27001 standard was published in October 2005. ISO 27001 was formerly called BS7799-2 standard. It is the specification for an Information Security Management System. It is the formal set of specifications against which organizations may seek independent certification of their ISMS.

The objective of the ISO 27001 standard is to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.

BENEFİTS OF ISO 27001

Identify risks and put controls in place to manage or eliminate them
Flexibility to adapt controls to all or selected areas of your business
Gain stakeholder and customer trust that their data is protected
Demonstrate compliance and gain status as preferred supplier
Meet more tender expectations by demonstrating compliance

ISO27001 is much more different between COBIT and ITIL, because ISO27001 is a security standard, so it has smaller but deeper domain compare to COBIT and ITIL.

COMPARISON BETWEEN 3 STANDARTS

Strengths

· COBIT is managed by ISACA (Information Systems Audit and Control Association) and keeps the standard up-to-date and on-par with current technology. It is a globally accepted standard and encompassed far more than just the information security scope that other standards are limited to. Accordingly, it is also easier to partially implement COBIT without requiring a full-spectrum analysis and commitment by the organization.

· ITIL is created and managed by the U.K. government, and is a natural fit for companies in that area of the world. However, the ITIL standard is used worldwide and may be considered for any company regardless of geographical location. ITIL excels at increasing visibility into and management of internal process to positively impact efficiency and economy.

· ISO 27002 is associated with a very respected and widely known standard (ISO 27001), and will be recognized and understood by those familiar with the ISO/IEC standards. This standard allows system managers to identify and mitigate gaps and overlaps in coverage.

· The level of detail afforded by implementing a framework based on NIST is considerable, and an organization not wishing to spend time on customizing a framework for their specific industry or nature may wish to use NIST assuming that the level of detail is complimentary to its goals.

Weaknesses

· While being widely scoped is can be viewed as a strength for COBIT, it can also be a detractor during implementation. Being by design not limited to a single area, it can often lead to gaps in coverage.

· While focused on information security only, ITIL is considered to be a higher-level standard than ISO 27002, and points to ISO standards for detailed implementation. Specific implementation details are rather lacking.

· ISO 27002 is focused specifically and purposefully on information security and is therefore limited in scope compared to other standards such as COBIT.

· Similar to ISO 27002, NIST is limited in scope to information security, whereas COBIT and ITIL are more general in nature. Multiple publications must be processed and implemented in order to achieve compliance, which can lead to coverage gaps.

When to Use

· COBIT is a good candidate when an organization wishes to create an organization-wide framework for management that is scoped outside of information security only. While not providing direct accreditation, certification can be achieved through closely aligned paths.

· ITIL points to ISO standards as a framework in which to implement a solution. This applies well for organizations wishing to use ISO standards with global recognition without necessarily achieving an ISO 27001 certification.

· The associated certification for ISO 27002 (ISO 27001) provides a worldwide recognition and acceptance, and therefore organizations wishing to operation across international boundaries may find implementation and certification advantageous. Additionally, some ISO 27001 certified companies require partners to become certified as well.

· U.S. government organizations are required to use NIST in order to comply with federal law. Additionally, non-federal organizations may also use the NIST standard, but other standards such as ISO 27002 or ITIL may be better suited as NIOST can be difficult to implement for some organizations.

What is the easiest standard?

From the implementatation view, ITIL is the easiest standard to be implemented. Because, ITIL could be implemented partially and still not have impact on performance. Example, if IT departement lack of budget and he could choose to implement IT Service Delivery layer only, and the next year he will try to implement IT Release Management or IT Problem Management.

However COBIT and ISO27001 is quite difficult to be implemented partially, since it should see a process in bigger view first before they could implemented partially.