Business & Finance
01:15 PM

Standards For IT Governance

ITIL, COBIT, and ISO 17799 provide a blueprint for managing IT services.

It's long been accepted that constant change is fundamental to IT. While most IT pros understand that change is part of the game, the organizations they support often resist it or have a hard time understanding why IT operates under the strictures it does. CIOs must be prepared to overturn accepted norms in the pursuit of innovation. Finessing those changes means more than just leadership skills or charisma. It calls for having a clear blueprint as to the direction of the organization and its goals.

Many organizations struggle with that blueprint. It's not simple for IT to define its goals, position services and the need for constant evolution, and then communicate its capabilities and services to its line-of-business customers. The good news is that a lot of thinking has already gone into the problem.

InformationWeek Reports

The answer for many has been to follow the models set down in ITIL 2.0 (Information Technology Infrastructure Library), the 10-book set of best practices for IT service management that's gained wide popularity among international organizations and the vendor community. While ITIL will go far, skeptics contend that it's too specific. IT needs to think more broadly, they say, and blend ITIL with other, broader specifications. COBIT, or Control Objectives for Information and Related Technology, and ISO 17799, which is more specific to security, along with ITIL form the basis of a blueprint for IT governance.


Cobit's Pentagon
Cobit's goal is to help IT understand the needs of the business and to put practices in place to meet them as efficiently as possible. Strategic alignment keeps IT and more general enterprise planning in sync. Value delivery takes that strategic value proposition and delivers on it. Resource management helps IT put its money and other assets where they'll do the most good, while risk management establishes a conversation between corporate officers and IT executives so that systems reflect the enter- prise's aversion to risk. Performance management monitors IT's implementation efforts, providing measures for success and constant improvement.
Attempting to mix the three management specifications--COBIT, ITIL, and ISO 17799--can be daunting, and much work has been done to harmonize them. You can think of the three this way: COBIT tells you what to monitor and control. ITIL describes how to go about implementing the processes for doing that. ISO/IEC 17799:2000 lays out a process for securing those services and addressing legal requirements.

COBIT was published by the IT Governance Institute and is positioned as a high-level governance and control framework. The framework specifies 34 high-level control objectives for IT processes. Corresponding to these 34 control objectives are 318 recommended detailed control objectives to provide management assurance and advice for improvement.

ISO/IEC 17799:2000 is a framework for information security management published by the International Organization for Standardization and the International Electrotechnical Commission. The standard was first published in 2000 and updated in June 2005. It specifies best practices for security in 12 areas and offers guidance on such topics as protecting personal data, internal information, and intellectual property.

ITIL was developed by the U.K. government starting in the '80s and provides best practices for delivering IT services. The first version was a 48-book collection that was subsequently reduced to 10 books focusing solely on IT process. ITIL 3, released this year, is condensed into five books and refines the notion of IT service. Previously, core tenants were divided between service support and service delivery; these are now combined.

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of July 24, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.