Adding a little bit of structure into one's affairs never hurts, especially when it comes to IT business processes and assets. To this end, various frameworks offer blueprints for achieving key organizational objectives like compliance and security. Three of the more popular frameworks—COBIT, ITIL, and TOGAF—are widely used by enterprises in this regard—let's see how they compare when it comes to bolstering cybersecurity and digital resilience.
Created by the IT Governance Institute and the Information Systems Audit and Control Association (ISACA), the COBIT framework—short for Control Objectives for Information and Related Technology—helps organizations in the creation, monitoring, and maintenance of IT governance and management practices. Currently on version 5, COBIT's control model is used by IT business process managers and stakeholders to ensure quality, control, and reliability of information systems in an organization.
COBIT 5 Process Reference Model. Source: isaca.org.
Because the current version of the framework promotes better collaboration, agility, and shorter feedback loops, COBIT 5 in particular is appreciated for its effectiveness in reducing risk in IT implementations. More information regarding COBIT 5 is available from ISACA's website.
No discussion about ITIL can be had without first mentioning IT service management, or ITSM. In a nutshell, ITSM is the alignment of enterprise IT services and information systems with business and end-user/customer needs. It's about regarding IT as a way of delivering value to the business and customer, as opposed to just technology to be installed, managed, and secured.
ITIL—short for Information Technology Infrastructure Library—is the preeminent framework for implementing ITSM in organizations. Created and trademarked by AXELOS, ITIL has been adopted by millions of certified practitioners worldwide.
The ITIL Framework. Source: Wikimedia Commons.
ITIL essentially provides a set of interrelated best practices that provide guidance for developing, delivering, and managing enterprise IT services. Check out AXELOS' page about ITIL and related resources.
The Open Group Architecture Framework (TOGAF) is the most popular framework for enterprise architecture. TOGAF provides methodologies and supporting tools for organizing and managing technology, ensuring that projects meet businesses objectives through systematic with repeatable processes.
TOGAF's ADM. Source: opengroup.org.
At the heart of the TOGAF framework is the Architecture Development Method, or ADM. It describes the methodology for developing and managing an enterprise architecture's lifecycle through continuous/cyclic and iterative phases (as depicted in the above diagram).
How They Stack Up
Tools alone won't cut it these days—effective cybersecurity requires taking a layered, continuous approach to security. And when it comes to digital resilience, a key mantra is the adoption of risk-based thinking: understanding the major risks and prioritizing controls/investments in security to achieve business outcomes. COBIT, ITIL, and TOGAF all provide exceptional mechanisms for improvement and adjustment in the face of shifting risks and prioritizations; that said, the three differ in scope and audience: TOGAF is a architecture framework, while ITIL is an IT service framework and subsequently provides more guidance in this arena. And while COBIT is broader in scope than ITIL, the latter provides a more detailed narrative regarding service management enablers inside enterprise IT.
The following diagram illustrates how and where the frameworks overlap, including PMBOK (a common project management framework).
Areas of overlap within popular frameworks. Source: ITpreneurs.com.
Despite the areas of overlap, these frameworks are more often used in conjunction with each other for achieving better organizational compliance, security, and overall digital resilience. For example, firms often employ COBIT and ITIL together to guide the governance and management of enterprise IT services—with COBIT covering implementation, operation, and improvement and ITIL covering IT service management and business value enablement.
In short, organizations wishing to apply structure and repeatability/improvement to their security and compliance efforts often employ multiple frameworks in tandem for maximum coverage. Cybersecurity efficacy and digital resilience are therefore unique measures per organization and can be achieved with any array of frameworks relevant to the business. So instead of which is better for cybersecurity and digital resilience, a perhaps more important question is how to measure improvement in cybersecurity and digital resilience, be it from a compliance, integrity, or security angle. The answer is with UpGuard's CSTAR—a single, easy-to-understand value representing an organization's aptitude in the areas of compliance, integrity, and security. Once you've implemented your framework(s) of choice, track your efforts and continuous improvement with UpGuard's platform for continuous validation.