Governance Frameworks
COBIT, ITIL, ISO 27001 β what they are, what they're not, and how to choose.
Overview
Governance frameworks are only useful if you understand what each one actually requires and when to apply it. Knowing the acronyms is not the same as knowing the frameworks. Answer the five questions below with the depth of someone who has had to choose, implement, or be audited against one of these frameworks.
Read before you answer
IT governance frameworks provide structured approaches to aligning IT activities with business objectives, managing risk, and demonstrating accountability. The three frameworks most frequently encountered in enterprise environments serve different purposes and operate at different levels of abstraction. COBIT (Control Objectives for Information and Related Technologies), published by ISACA, is a governance and management framework focused on the processes and controls needed to ensure IT delivers value and manages risk. It defines 40 governance and management objectives across five domains β Evaluate, Direct and Monitor (EDM); Align, Plan and Organise (APO); Build, Acquire and Implement (BAI); Deliver, Service and Support (DSS); and Monitor, Evaluate and Assess (MEA) β and is commonly used as the basis for IT audit programmes and for demonstrating governance maturity to boards and regulators.
ITIL (Information Technology Infrastructure Library) is a framework for IT service management (ITSM), focused on how IT services are designed, delivered, and continuously improved. ITIL 4, the current version, organises guidance around a Service Value System and four dimensions of service management (organisations and people, information and technology, partners and suppliers, value streams and processes). It defines practices β including change enablement, incident management, problem management, and service desk β that describe what good looks like for operational IT processes. ITIL is not an audit or compliance framework; it is a practice guide. Organisations adopt ITIL practices to improve service quality and reduce operational risk. ISO/IEC 27001 is an international standard for information security management systems (ISMS). Unlike COBIT and ITIL, ISO 27001 can be formally certified against by an accredited certification body. It requires organisations to define the scope of their ISMS, conduct a risk assessment, select and implement controls from ISO 27002 (the companion control catalogue), and operate a continual improvement cycle. Certification is recognised by customers, regulators, and partners as evidence of a structured approach to information security governance.
Choosing the right framework depends on the purpose. Organisations implementing ISO 27001 are typically doing so to achieve certification β either because customers require it, because a market requires it, or to demonstrate security maturity. Organisations adopting COBIT are typically doing so to establish an IT governance programme that can be audited internally or by external auditors against defined control objectives. Organisations implementing ITIL practices are doing so to improve service delivery operations. These are not mutually exclusive: many mature organisations use ITIL for operational processes, COBIT for governance and control, and ISO 27001 for security management β with mappings between frameworks to avoid duplicating documentation and control evidence. A governance professional needs to understand what each framework is for, what it requires, and how to navigate the evidence and documentation obligations each imposes.