Aligning CobiT® 4.1, ITIL® V3 and ISO/IEC 27002 for Business Benefit

Every enterprise needs to tailor the use of standards and practices to suit its individual requirements. All three standards/practices covered in this guide can play a very useful part—CobiT and ISO/IEC 27002 helping to define what should be done and ITIL® providing the how for service management aspects.

The growing adoption of IT best practices has been driven by a requirement for the IT industry to better manage the quality and reliability of IT in business and respond to a growing number of regulatory and contractual requirements.

There is a danger, however, that implementation of these potentially helpful best practices can be costly and unfocused if they are treated as purely technical guidance. To be most effective, best practices should be applied within the business context, focusing on where their use would provide the most benefit to the organisation. Top management, business management, auditors, compliance officers and IT managers should work together to make sure IT best practices lead to cost-effective and well-controlled IT delivery.

IT best practices enable and support: • Better management of IT, which is critical to the success of enterprise strategy • Effective governance of IT activities • An effective management framework of policies, internal controls and defined practices, which is needed so

everyone knows what to do • Many other business benefits, including efficiency gains, less reliance on experts, fewer errors, increased trust

from business partners and respect from regulators

The briefing applies generally to all IT best practices but focuses on three specific practices and standards that are becoming widely adopted around the world. It has been updated to reflect the latest versions: • ITIL® V3—Published by the UK government to provide a best practice framework for IT service management • CobiT 4.1—Published by ITGI and positioned as a high-level governance and control framework

• ISO/IEC 27002:2005—Published by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) and derived from the UK government’s BS 7799, renamed ISO/IEC 17799:2005, to provide a framework of a standard for information security management

Descriptions of each of these can be found in the main body of the briefing.

Implementation of best practices should be consistent with the enterprise’s risk management and control framework, appropriate for the enterprise, and integrated with other methods and practices that are being used. Standards and best practices are not a panacea; their effectiveness depends on how they have been implemented and kept up to date. They are most useful when applied as a set of principles and as a starting point for tailoring specific procedures. To avoid practices becoming ‘shelfware’, management and staff must understand what to do, how to do it and why it is important.

Implementation should be tailored, prioritised and planned to achieve effective use. This briefing describes some pitfalls that should be avoided.

To achieve alignment of best practice to business requirements, formal processes in support of good IT governance should be used. The OGC provides management guidance in its Successful Delivery Toolkit ( sdtoolkit/) and best practice frameworks for project management (PRINCE2), Managing Successful Programmes (MSP) and Management of Risk (M_o_R ®): Guidance for Practitioners; see ITGI provides the IT Governance Implementation Guide Using CobiT and Val IT, 2nd Edition.

CobiT can be used at the highest level of IT governance, providing an overall control framework based on an IT process model that is intended by ITGI to generically suit every enterprise. There is also a need for detailed, standardised practitioner processes. Specific practices and standards, such as ITIL® and ISO/IEC 27002, cover specific areas and can be mapped to the CobiT framework, thus providing a hierarchy of guidance materials. To better understand mapping amongst ITIL®, ISO/IEC 27002 and CobiT, refer to appendix I, where each of the CobiT 34 IT processes and control objectives has been mapped to specific sections of ITIL® and ISO/IEC 27002; appendix II, where a reverse mapping shows how ITIL® V3 key topics map to CobiT 4.1; and appendix III, where a reverse mapping shows how ISO/IEC 27002 classifications map to CobiT.

ITGI and OGC will continue to update their guidance documents, to further align the terminology and content with other guidance to facilitate easier integration, and to reflect the latest best practice.,ITIL®V3,ISO27002-Bus-Benefit-12Nov08-Research.pdf