Adding a little bit of structure into one's affairs never hurts, especially when it comes to IT business processes and IT assets.
To this end, various frameworks offer blueprints for achieving key organizational objectives like compliance and security. Three of the more popular IT governance frameworks—COBIT, ITIL, and TOGAF—are widely used by enterprises in this regard—let's see how they compare when it comes to bolstering cybersecurity and digital resilience.
Created by the IT Governance Institute and the Information Systems Audit and Control Association (ISACA), the COBIT framework—short for Control Objectives for Information and Related Technology—helps organizations in the creation, monitoring, and maintenance of IT governance and management practices. Currently on version 5, COBIT's control model is used by IT business process managers and stakeholders to ensure quality, control, and reliability of information systems in an organization.
Because the current version of the framework promotes better collaboration, agility, and shorter feedback loops, COBIT 5 in particular is appreciated for its effectiveness in reducing risk in IT implementations. More information regarding COBIT 5 is available from ISACA's website.
No discussion about ITIL can be had without first mentioning IT service management, or ITSM. In a nutshell, ITSM is the alignment of enterprise IT services and information systems with business and end-user/customer needs. It's about regarding IT as a way of delivering value to the business and customer, as opposed to just technology to be installed, managed, and secured.
ITIL—short for Information Technology Infrastructure Library—is the preeminent framework for implementing ITSM in organizations. Created and trademarked by AXELOS, ITIL has been adopted by millions of certified practitioners worldwide.
ITIL essentially provides a set of interrelated best practices that provide guidance for developing, delivering, and managing enterprise IT services. Check out AXELOS' page about ITIL and related resources. Maintaining good IT services results in secure and reliable assets.
The Open Group Architecture Framework (TOGAF) is the most popular framework for enterprise architecture. TOGAF provides methodologies and supporting tools for organizing and managing technology, ensuring that projects meet businesses’ objectives through systems with repeatable processes.
At the heart of the TOGAF framework is the Architecture Development Method, or ADM. It describes the methodology for developing and managing an enterprise architecture's lifecycle through continuous/cyclic and iterative phases (as depicted in the above diagram).
Core Distinctions: COBIT, ITIL, TOGAF
Tools alone won't cut it these days—effective cybersecurity requires taking a layered, continuous approach to security. And when it comes to digital resilience, a key mantra is the adoption of risk-based thinking: understanding the major risks and prioritizing controls/investments in security to achieve business outcomes.
COBIT, ITIL, and TOGAF all provide exceptional mechanisms for improvement and adjustment in the face of shifting risks and prioritizations; that said, the three differ in scope and audience: TOGAF is an architecture framework, while ITIL is an IT service framework and subsequently provides more guidance in this arena. And while COBIT is broader in scope than ITIL, the latter provides a more detailed narrative regarding service management enablers inside enterprise IT.
The following diagram illustrates how and where the frameworks overlap, including PMBOK (a common project management framework).
Despite the areas of overlap, these frameworks are more often used in conjunction with each other for achieving better organizational compliance, security, and overall digital resilience.
For example, firms often employ COBIT and ITIL together to guide the governance and management of enterprise IT services—with COBIT covering implementation, operation, and improvement and ITIL covering IT service management and business value enablement.
In the sections that follow, we will go deeper in depth in comparing and unpacking how COBIT and ITIL work. As service management frameworks, they are much closer together in the areas they serve, whereas TOGAF focuses more narrowly on the area of architecture and governing enterprise information technology architecture.
IT Service Management Best Practices
COBIT grew out of ISACA’s work in the field of computer systems auditing in the late 1960s. The organization, originally called the Information Systems Audit and Control Association, but now just named after the acronym, has gained widespread influence for establishing best practices and guidance in information systems auditing and control. COBIT comes with a strong set of best practices you can use for your organization’s IT service management.
COBIT’s core principles provide general guidelines that can help you improve your service management. Each of these principles, in turn, has best practices you can model to implement the principle in practice.
Here are three of the most important COBIT principles, with associated best practices for each principle:
- Principle: Meet Stakeholder Needs
- Set appropriate, concrete IT goals and KPIs, with a clear path to meeting stakeholder needs
- Assign tiers/levels of responsibility
- Principle: Cover The Enterprise End-To-End
- Inform organization members across the organization of the information assets that facilitate their business objectives or service design needs
- Principle: Separate Governance From Management
- Create authority levels
- Establish monitoring targets
Similar to COBIT, ITIL comes with a set of guiding principles that inspire many of the best practices for organizations’ IT service management. In the case of ITIL, there are seven universal guiding principles that are ingrained in ITIL process activities, and which will make it easier for organizational structures to benefit from ITIL. These are:
- Focus On Value
- Start Where You Are
- Progress Iteratively With Feedback
- Collaborate And Promote Visibility
- Think And Work Holistically
- Keep It Simple And Practical
- Optimize And Automate
Continuous improvement is a key concept in ITIL. Adopting the Continual Improvement Model is a best practice that allows you to take an iterative approach in realizing your organization’s vision. You will perform critical evaluation of IT processes, management processes, and effectiveness at each step as you go.
ITIL 4 also promotes adopting the Service Value Chain approach. This approach, popular in Six Sigma and Lean, involves outlining key activities required to respond to demand and creating value from the organization’s products and services.
Latest Framework Updates
Both of these influential IT service management standards have gone through significant revamps in the last few years. For COBIT, this involved the transition to COBIT 2019, which superseded COBIT 5 (launched in 2012). COBIT 2019 comes with more flexible, collaborative governance strategies. It is intended to have more frequent and fluid updates to help address new and changing technology.
COBIT 2019 introduces the following features:
- Better measurement of IT performance, aligned with the CMMI standards
- Focus areas with greater clarity on creating governance systems
- Ongoing updates released on a rolling basis
- Increased alignment with other global standards to enhance framework relevance and service improvement
- Better support for decision making and new collaborative features
- Open source approach to spur greater feedback from the governance community
An overriding theme in these COBIT 2019 features and updates is a focus on making the framework more flexible for businesses creating their IT governance strategy.
Also launched in 2019, ITIL 4 is the latest major update to the ITIL framework. It updates the framework in light of the latest trends in the IT, devops, and software realms.
The notable focus in ITIL 4 is towards providing a more flexible, practical foundation to support organizations’ endeavors for making progress towards the new world of digital transformation.
ITIL 4 includes four dimensions that should be part of any IT service management program in order to ensure an all-inclusive, approach. These dimensions, combined for enabling a holistic approach, are:
- Organizations and people
- Information and technology
- Partners and suppliers
- Value streams and processes.
Similar to COBIT, ITIL 4 development takes a more community-based approach. AXELOS, the organization that manages ITIL, has been collaborating with the broader IT industry and experts around the globe to update ITIL for the future.
Certification and Compliance
Any IT service management and governance program can benefit from proper certification or benchmarking, not to mention these steps are a key part of many organizations’ compliance requirements. Using COBIT or ITIL can help in this regard.
To help you set objectives for compliance in line with your business needs, COBIT comes with six distinct maturity levels for compliance and benchmarking:
- Level 0: Non-existent
- Level 1: Initial/Ad-hoc
- Level 2: Repeatable but intuitive
- Level 3: Defined Process
- Level 4: Managed and measurable
- Level 5: Optimized
Professionals in your IT department can master and prove their knowledge of COBIT 2019 and earlier versions by undergoing COBIT certification from ISACA. These certificates are available for COBIT 2019:
- COBIT 2019 Foundation
- COBIT Design and Implementation
- Implementing the NIST Cybersecurity Framework Using COBIT 2019
Besides these, other certification programs and certificates are available from ISACA.
ITIL also comes with a comprehensive certification scheme, offered by AXELOS. For ITIL 4, AXELOS introduced a revamped, streamlined certification program. This comes with a Foundation certificate, similar to what was offered in ITIL Version 3.
After a professional passes the Foundation exam, the professional can select between the ITIL 4 Strategic Leader path and the ITIL 4 Managing Professional path.
Here’s what’s contained in these two separate certification and mastery paths.
- ITIL 4 Strategic Leader (ITIL SL) - concentrates on digitally enabled services and business strategy. It comes with two certification modules:
- ITIL 4 Strategist Direct, Plan and Improve
- ITIL 4 Leader Digital and IT Strategy.
- ITIL 4 Managing Professional - helps professionals run successful IT enabled services, IT teams, and workflows. It has four modules:
- ITIL 4 Specialist Create, Deliver and Support
- ITIL 4 Specialist Drive Stakeholder Value
- ITIL 4 Specialist High-velocity IT
- ITIL 4 Strategist Direct, Plan and Improve.
Candidates with extensive, practical, hands-on expertise with ITIL 4 can also earn the designation of ITIL Master.
Case Studies Of Successful Implementation
The organizations that have adopted COBIT and ITIL range from large Fortune 500 corporations to educational institutions and government institutions around the world.
Looking at case studies of organizations implementing these frameworks successfully will give you a better idea of how they might work out for your own organization, as well as which of them might be a better fit.
Here are a few case studies of implementing COBIT:
- Maitland - This global advisory firm implemented COBIT to increase business oversight and accountability for IT.
- Saudi Arabian Municipality in Damman, Saudi Arabia - This municipality in Saudi Arabia, serving 7 million residents, used COBIT to provide an organized approach to information management and change management, with a view to reducing IT incidents.
- European Network of Transmission System Operators for Electricity (ENTSO-E) - This European electricity transmission government agency implemented COBIT for governance of enterprise IT.
ITIL has been implemented at organizations like Spotify and Newcastle University. Here’s an overview of some of these implementations:
- Spotify - In 2017, as this music streaming platform prepared to go public, it used ITIL to help achieve its compliance requirements.
- Disney - This mass media and entertainment company used ITIL to improve the availability, service delivery, and reliability of its IT services.
- Newcastle University - This Australian university adopted ITIL as part of IT investments to improve incidence management and address business problems.
As these case studies showcase, implementing an IT service strategy or IT governance single integrated framework like COBIT or ITIL can lead to your organization being better able to manage change or service transition, improve incident management, and instill a more service-oriented culture that better serves your customers’ needs.
Where necessary, you can even combine these frameworks in order to tailor your implementation to the exact needs of your enterprise.
As two of the leading frameworks in IT service management and IT governance, both COBIT and ITIL have ample learning resources available that can help guide your implementation.
These range from white papers and framework documentation that will be helpful for your team to look at, all the way to online training and conferences. In-person training and courses offered by the governing bodies of these standards will be especially helpful for upgrading specific skills across your teams.
For COBIT, ISACA offers conferences, white papers, and online resources to support your team’s business goals. Classroom training is also available, with a wide range of ITIL classes offered, including:
- COBIT 2019 Foundation Certificate Program
- COBIT 2019 Design and Implementation Certificate Program
Other training formats are available, including in-person training and online training.
For ITIL, the ITIL website by AXELOS offers a plethora of resources to help your team implement the ITIL standards, with whitepapers. Forums like the IT Service Management Forum (itSMF), as well as groups on LinkedIn and the Educause ITSM Community Group, bring the community together for discussions around topics like ITIL.
You can also find ITIL training service providers right around the world by searching from the AXELOS website. AXELOS also sells books like ITIL® Foundation, ITIL 4 edition, to help your team acquire skills at implementing and managing ITIL service projects in the real world.
Enabling Cybersecurity Efficacy In IT Service Management
In sum, organizations wishing to apply structure and repeatability/improvement to their information security and compliance efforts often employ multiple frameworks in tandem for maximum coverage. Cybersecurity efficacy and digital resilience are therefore unique measures per organization and can be achieved with any array of frameworks relevant to the business.
So instead of which is better for cybersecurity and digital resilience, a perhaps more important question is how to measure improvement in cybersecurity and digital resilience, be it from a compliance, integrity, or security angle. A great way to accomplish this is by choosing a dedicated cybersecurity solution, such as UpGuard BreachSight and UpGuard Vendor Risk to achieve compliance with various frameworks. Dedicated solutions help streamline the framework compliance process to ensure that your organization is covering all bases.