The document provides an overview and comparison of three major IT governance frameworks: ITIL, COBIT, and ISO 27001. ITIL focuses on IT service management and was originally developed by the UK government. COBIT is aimed at regulatory compliance and risk management. ISO 27001 contains information security standards and guidelines. Each framework takes a different approach, with ITIL emphasizing processes, COBIT control objectives, and ISO 27001 information security practices. Implementing the frameworks requires consideration of factors like organizational needs, budgets, and vendor expertise.

1. ITIL,COBIT AND
ISO27001
Burcu Pelin TELLİ
İstanbul Üniversitesi-Bilgisayar
Mühendisliği
brcplntll@gmail.com

2. INTRODUCTION
• As large scale applied computing (aka “Information Technology”) nears
its eighth decade of practice, practitioners have generated a great deal
of guidance on all its aspects. Some of this guidance has been
developed under the imprimatur of governments, major research
universities and pre-eminent professional organizations. There is the
Information Technology Infrastructure Library (ITIL), sponsored by the
United Kingdom via official publication channels and the Control
Objectives for Information Technology (COBIT), sponsored by the IS
Audit and Control Association (ISACA) . There is also the Capability
Maturity Model-Integrated, developed for twenty years now by the
Software Engineering Institute at Carnegie-Mellon.

3. INTRODUCTION
• ITIL, and COBIT have profound influence and reach in the IT industry
globally, serving as defining frameworks for wide sections of IT
practice. The frameworks are often utilized as stringent criteria for
awarding contracts and assessing maturity, risk, and performance.
Training ecosystems have arisen, and books, conferences, and research
revolve around them. All essentially serve to define and stabilize much
IT terminology and direct it towards a common description of IT
practice.
• IT is under perpetual scrutiny and the industry is rife with criticism of
IT’s ability to deliver consistently and manage itself well. It’s therefore
appropriate to pay critical attention to these frameworks’ assumptions
and implications.

4. Business Process Management (BPM)
There is an extensive literature associated with Business Process Management (BPM),
including how to identify or establish, formally document, and improve business
processes . This literature is highly aligned with broader concerns of general business
management, performance management, and the organization as system. There is also
substantial overlap between BPM and continuous improvement techniques such as
Lean and Six Sigma. However, this Article will cover the narrower topic of defining
“process” usefully for operational purposes, especially in creating IT industry
frameworks.

5. Business Process Management
(BPM)
BPM can be and is applied to IT management. ITIL®
and COBIT® all use the term “process” pervasively,
and are commonly referred to as “process”
frameworks. Thus, they position themselves for
scrutiny from a BPM perspective.
BPM Life Cycle
Business process management activities can be
arbitrarily grouped into categories such as design,
modeling, execution, monitoring, and
optimization.

6. ITIL, COBIT AND ISO 27001
• Governance frameworks exist to help businesses and organisations
implement best practice in their particular fields. They encourage the use
of proven methodologies, aid compliance with relevant standards, and can
generally help reduce risk and operating costs.
Three of the big governance frameworks for those operating in the
Information Technology space are ITIL (Information Technology
Infrastructure Library), ISO 27001 (International Standards Organisation)
and COBIT (Control Objectives for Information and Related Technology).
• All three frameworks offer a mix of guidance, advice and practical tools.
Each has its own focus, though they can be used in conjunction. The
latest version of COBIT now integrates with the ITIL standard.

7. ITIL, COBIT AND ISO 27001
For Example
• ITIL is focused on how IT Services should be used to underpin
business goals and objectives. Originally developed by the UK
government in the 1980s to standardise their growing IT use, it is
now used by institutions and businesses of all shapes and sizes.
• ISO 27001 is focused on information security standards, and was
last updated in 2013. It describes a number of best practice
guidelines for ensuring electronic data is maintained in a safe and
secure manner.
• COBIT is a governance framework aimed at regulatory compliance
and risk management. Now in its fifth edition, it covers areas like
audit and assurance and governance of enterprise IT systems.

8. ITIL (Information Technology Infrastructure
Library)
• ITIL consists of a series of books giving guidance on the provision of quality IT
services, and on the accommodation and environmental facilities needed to
support IT. ITIL has been developed in recognition of organizations' growing
dependency on IT and embodies best practices for IT Service Management.
• Many of ITIL’s concepts are from four volume series called Management
System for Information Systems by Author named Edward A. Van Schaik. It
was compiled in 1985 in IBM, Schaik used reference from Managing the Data
Resource Function by Richard L. Nolan (1974)

9. ITIL History
• Originally developed by United Kingdom Government
• ITIL version 1 was developed under Central Computer and
Telecommunications agency (CCTA). It was titled “Government
Information Technology infrastructure Management Methodology”
(GITMM). GITMM was expanded to 31 volumes over the year
project initially directed by Peter Skinner and John Stewart at the
CCTA. The change of title came about due to foreign interest of
GITMM and as guidance and not a formal method.
• Although ITIL was developed in 1980s, It wasn’t till mid 90s that
ITIL was widely adopted.

11. Service Support Goals for ITIL
• 1) Service desk
• 2) Incident Management
• 3) Problem Management
• 4) Change Management
• 5) Configuration
Management
• 6) Release Management

12. Service Delivery Goals for ITIL
• 1) Capacity management
• 2) Availability management
• 3) Financial management of IT services
• 4) Service level management
• 5) IT service continuity management

13. ITIL (Information Technology Infrastructure Library)
• A business process analyst confronted with this list and attempting to apply
the accepted definition of process may start by determining that Incidents,
Changes, and Problems are indeed event driven and countable, usually managed in
some sort of IT ticketing system. It is therefore not hard to translate their
functional naming to strong verb processes:
• Resolve Incident
• Implement Change
• Correct Problem
• Similarly, diagramming them as cross-functional process flows should be
straightforward, as should be measuring and controlling these processes.
• However, things become much murkier with “processes” like Capacity, Availability,
and Configuration/Asset Management. What is a Capacity? How many Capacities
have we done today? Does one “establish” Capacity, “adjust” it, “enhance” it, or
“reduce” it? When was the last Availability finished? Who benefited? We can count
Assets, but what about Configurations?

14. ITIL (Information Technology Infrastructure
Library)
• Obviously, these questions are somewhat nonsensical, but this is what
happens when functions are confused with processes. ITIL does define its own
limited set of “functions,” only in the Service Operation volume:
• Service Desk
• Technical management function
• IT operations function
• Application management function
• This leaves ITIL with 25 IT “processes,” and four IT “functions.” This is exactly
the inverse of much BPM guidance, which would suggest that the true, value-
adding, enterprise-essential processes are relatively fewer than the functions

15. Determining need for ITIL
Each Category has specific goal set in order to compare company’s
current level of service with goals of subcategories of Service
support. Generally speaking more goals company is missing the
more likely it is that company need ITIL.

16. COBIT
• The Control Objectives for Information Technology, or COBIT,
takes a somewhat different tack in establishing its “processes.”
First, there is a clear attempt to start with a verb, as we can see
from this subset:
Determine Technological Direction
Manage Service Desk and Incidents
Ensure Continuous Service
Manage Changes
Enable Operation and Use
Manage Quality

17. COBIT
• However, these processes are often not crisp or countable. One is never done
“managing,” “ensuring,” or “enabling.” As Sharp and McDermott state, “Name
with Action Verbs, Not Mushy Verbs”. In actual IT practice, many COBIT
processes seem more akin to steady state IT functions, such as a Business
Continuity Planning organization (for Ensure Continuous Service).
• The reader at this point may think the critique unfair, in that a functional area
like Business Continuity Planning may well have smaller grained, crisply
countable processes. However, this is often true of functional silos, and
leads to the problems of IT process proliferation, value obscurity, and
unmanaged demand, which will be addressed below in “Consequences of
process confusion.” Again, we need to hit a sweet spot of business visibility
and criticality. Does the end user derive value from Business Continuity
Planning per se, or is this better seen as a component or quality attribute of a
more fundamental value concept, such as delivering an Application or
Infrastructure Service?

18. Comparison to COBIT and
ITIL
COBIT
• Control Focused
• Uses IT metrics
• Used by auditors in
SOX
• Critical Success Factors
ITIL
• Strong concentration on
processes
• Security is very important
component
• Focused on Service Delivery

19. ISO 27001
• It is, part of the growing ISO/IEC 27000 family of standards, was
an information security management system (ISMS) standard published in
October 2005 by the International Organization for Standardization (ISO)
and the International Electrotechnical Commission (IEC). Its full name
is ISO/IEC 27001:2005 – Information technology – Security techniques –
Information security management systems – Requirements. It was
superseded, in 2013, by ISO/IEC 27001:2013.

20. ISO 27001
• ISO/IEC 27001 formally specifies a management system that is intended to bring
information security under explicit management control. Being a formal
specification means that it mandates specific requirements. Organizations that
claim to have adopted ISO/IEC 27001 can therefore be formally audited and
certified compliant with the standard (more below).
• The specification defines a six-part planning process:
Define a security policy.
Define the scope of the ISMS.
Conduct a risk assessment.
Manage identified risks.
Select control objectives and controls to be implemented.
Prepare a statement of applicability.

21. ISO 27001

22. ISO 27001
• ISO 27001 uses a topdown, risk-based approach and is technology-
neutral.
• The specification includes details for documentation, management
responsibility, internal audits, continual improvement, and corrective
and preventive action. The standard requires cooperation among all
sections of an organisation.
• ISO27001 is much more different between COBIT and ITIL, because
ISO27001 is a security standard, so it has smaller but deeper domain
compare to COBIT and ITIL.

23. AREA COBIT ITIL ISO 20071
Function Mapping IT Process Mapping IT Service
Level Management
Information
Security Framework
Area 4 Process and 34
Domain
9 Process 10 Domain
Issuer ISACA OGC ISO Board
Implementation Information System
Audit
Manage Service
Level
Compliance to
security standard
Consultant Accounting Firm, IT
Consulting Firm
IT Consulting firm IT Consulting firm,
Security Firm,
Network
Consultant
 Here is the detail table of comparison between this
three standard

24. What should be implemented first?
• There's no exact answer about this question, but i think its
really depend on your company and your requirement. Most of
company start to implemented Cobit first because its cover
general information system. And after that they usually choose
between ITIL or ISO27001.
• Another consideration is about budget and authoritive. Cobit
implementation usually run from internal audit budget and ITIL
or ISO27001 usually performed using IT department budget.
This consideration usually makes what kind of standard to
implemented first become depend on management policy.

25. What is the easiest standard?
• From the implementatation view, ITIL is the easiest standard to
be implemented. Because, ITIL could be implemented partially
and still not have impact on performance. Example, if IT
departement lack of budget and he could choose to implement
IT Service Delivery layer only, and the next year he will try to
implement IT Release Management or IT Problem Management.
• However COBIT and ISO27001 is quite difficult to be
implemented partially, since it should see a process in bigger
view first before they could implemented partially.

26. How to choose the right vendor?
• Many vendor said that he could help your company to
implement these standard effectively, in fact there is no one
solution for all. Usually the COBIT vendor come from Publci
Accounting Firm who has an IT Audit arm, eg PWC, DTT, KPMG,
EY. This type of vendor is best choice for COBIT since they also
work for COBIT implementation derivative such as COBIT for
Sarbanes Oxley.
• The other standard ITIL and ISO27001 usually come from
General IT Consulting Company, eg. IBM, Accenture. And for
ISO27001 most of IT networking company also could offer this
standard consultation.

27. • References
1.The Stationery Office, ITIL® Service Operation: 2011 Edition. Information
Technology
Infrastructure Library 2011, Norwich, U.K.: The Stationery Office.
2. The Stationery Office, ITIL® Service Transition: 2011 Edition. Information
Technology
Infrastructure Library 2011, Norwich, U.K.: The Stationery Office.
3. The Stationery Office, ITIL® Continual Service Improvement: 2011 Edition.
Information
Technology Infrastructure Library 2011, Norwich, U.K.: The Stationery Office.
4. The Stationery Office, ITIL® Service Strategy: 2011 Edition. Information
Technology
Infrastructure Library 2011, Norwich, U.K: The Stationery Office.
5. The Stationery Office, ITIL® Service Design: 2011 Edition. Information
Technology
Infrastructure Library 2011, Norwich, U.K.: The Stationery Office.
6. IT Governance Institute, COBIT® 4.1 2007, Rolling Meadows, IL: IT

28. • References
8. http://www.eccinternational.com/consulting/it-process-excellence/isms-iso-
27001
9. Burlton, R., Business Process Management: Profiting from Process 2001,
Indianapolis, Indiana: SAMS
10. Harmon, P., Business Process Change: A Manager's Guide to Improving,
Redesigning, and Automating Processes 2003, Amsterdam: Elsevier.
11. Rummler, G.A. and A.P. Brache, Improving performance: how to manage the
White space on the organization chart. 2nd ed. The Jossey-Bass management series
1995, San Francisco, CA: Jossey-Bass. xxv, 226.
12. Sharp, A. and P. McDermott, Workflow modeling : tools for process improvement
and applications development. 2nd ed 2009, Boston: Artech House. xx, 449 p.
13. https://en.wikipedia.org/wiki/Ana_Sayfa
14. https://www.collaboris.com/solutions/ITIL-COBIT-ISO27001-compliance
15. http://beefchunk.com/documentation/security-
management/comparison_between_COBIT_ITIL_and_ISO_27001
16. http://www.itskeptic.org/content/why-cobit-wins-showdown-itil
17. http://www.eccinternational.com/consulting/it-process-excellence/isms-iso-
27001