It's long been accepted that constant change is fundamental to IT. While most IT pros understand that change is part of the game, the organizations they support often resist it or have a hard time understanding why IT operates under the strictures it does. CIOs must be prepared to overturn accepted norms in the pursuit of innovation. Finessing those changes means more than just leadership skills or charisma. It calls for having a clear blueprint as to the direction of the organization and its goals.

Many organizations struggle with that blueprint. It's not simple for IT to define its goals, position services and the need for constant evolution, and then communicate its capabilities and services to its line-of-business customers. The good news is that a lot of thinking has already gone into the problem.

The answer for many has been to follow the models set down in ITIL 2.0 (Information Technology Infrastructure Library), the 10-book set of best practices for IT service management that's gained wide popularity among international organizations and the vendor community. While ITIL will go far, skeptics contend that it's too specific. IT needs to think more broadly, they say, and blend ITIL with other, broader specifications. COBIT, or Control Objectives for Information and Related Technology, and ISO 17799, which is more specific to security, along with ITIL form the basis of a blueprint for IT governance.

COBIT, ITIL, AND ISO 17799

Attempting to mix the three management specifications--COBIT, ITIL, and ISO 17799--can be daunting, and much work has been done to harmonize them. You can think of the three this way: COBIT tells you what to monitor and control. ITIL describes how to go about implementing the processes for doing that. ISO/IEC 17799:2000 lays out a process for securing those services and addressing legal requirements.

COBIT was published by the IT Governance Institute and is positioned as a high-level governance and control framework. The framework specifies 34 high-level control objectives for IT processes. Corresponding to these 34 control objectives are 318 recommended detailed control objectives to provide management assurance and advice for improvement.

ISO/IEC 17799:2000 is a framework for information security management published by the International Organization for Standardization and the International Electrotechnical Commission. The standard was first published in 2000 and updated in June 2005. It specifies best practices for security in 12 areas and offers guidance on such topics as protecting personal data, internal information, and intellectual property.

ITIL was developed by the U.K. government starting in the '80s and provides best practices for delivering IT services. The first version was a 48-book collection that was subsequently reduced to 10 books focusing solely on IT process. ITIL 3, released this year, is condensed into five books and refines the notion of IT service. Previously, core tenants were divided between service support and service delivery; these are now combined.