Alphabet Soup: Cobit, ITIL and ISO

Home Source: http://www.csoonline.com/article/221411/Alphabet_Soup_Cobit_ITIL_and_ISO

This information is about Malcolm Wheatley interview an Expert Gary Hardy, Hardy is an adviser to both the IT Governance Institute and the Information Systems Audit and Control Association (ISACA), he having been a member of the latter for more than 25 years.

The content of the interviewing is about this question “How do Cobit and ITIL differ ?” Hardy answer is “Cobit [control objectives for information and related technology], the last version is the fourth release was lunched at November 2005, it is a high-level set of objectives with management and assurance tools for overall IT governance. People call it a standard, but it is not a framework. ITIL a set of best practices is mostly focused on service delivery and service management, the delivery of IT services in terms of the processes that should be followed.” Hardy also explained people say that Cobit is what you should do, and ITIL is how you should go about doing it—accepting that ITIL has a narrower scope.

Malcolm Wheatley asked again about how does ITIL's approach to security issues? Hardy answer is “ITIL talks about security, but mostly in the context of service delivery. Frankly, security isn't really what ITIL is focused on, it's not its core strength, and it's not what people go to ITIL for.”

Malcolm Wheatley asked the last question about how Cobit approaches to security issues. Hardy explained this Cobit has always been security-oriented, and at a high level sets out what should be done about security which the things that security should focus on. Cobit provides a set of objectives and guiding principles.

In my opinion, if the company’s character is service oriented, it is better using ITIL framework on the certification for their services quality. Such as Acer eDC. If an organization or company focus on the security aspect, they should take the Cobit standard. As the expert Hardy explained Cobit is focus on the security-oriented which the things should be done about security. If Cobit standard not popular at the location, ISO17799 may be another selection. Enterprise can choose the standard for they needed.