A tremendous number of articles have been written about ISO 17799, ITIL and COBIT. Unfortunately, a number of these articles inaccurately identify these three bodies as control frameworks, and I am repeatedly encountering IT people who are confused about this. Let’s take a moment to reset perspectives, both about controls and which of these three […]
A tremendous number of articles have been written about ISO 17799, ITIL and COBIT. Unfortunately, a number of these articles inaccurately identify these three bodies as control frameworks, and I am repeatedly encountering IT people who are confused about this. Let’s take a moment to reset perspectives, both about controls and which of these three bodies of knowledge really is an overall IT control framework.
First, let’s make sure we understand what controls are. Think of controls as mechanisms that keep IT in check in terms of delivering value and managing risk. To put it another way, think of them as safeties that allow for better preservation of value through the management of risks. Or as Stephen Katz, former CISO of Citibank, puts it, IT controls are like the brakes on a car. Not only do they serve to stop the car and keep it under control, they enable the driver to actually go faster and still remain safe.
This is the perspective that IT and management must have these days. Controls aren’t a necessary evil mandated by regulation. They not only are a necessity, but also can generate positive results when done correctly. For example, people reject adopting a formal change management process because they fear it will slow down implementation of changes — yet they don’t stop and look at the delusion of speed. Yes, the changes are getting slammed in. However, how many of those changes fail during installation or go on to create incidents and problems?
We can demonstrate repeatedly that change management is a foundation control for security and availability, yet we still run into arguments from people who don’t understand the causal link between their actions, human error and that 80% of problems arise from their own actions if left unmanaged.
Next, let’s look at the concept of a control framework. Essentially, a framework is a collection of controls organized to highlight what needs to be done at various levels of the organization. It’s an outline, if you will, that tells what but not how, because that level of detail is something you must fill in.
Never forget that because organizations differ, their control needs also will differ. For example, all groups need change management, but how it’s implemented will depend on the enterprise. Delving into the work instruction level, access controls are needed, but how they are handled on a mainframe vs. a Windows network will vary. The point is that you will need to tune your policies, procedures and work instructions not only to meet the spirit of the controls but also to be feasible in the context of your organization.
Now, let’s turn our attention to the three bodies of knowledge — ISO 17799, ITIL and COBIT. Only COBIT is an overall control framework for IT. The others simply are not.
ISO 17799 (the International Organization for Standardization’s code of practice for information security management) is an excellent standard for IT security. ITIL (the IT Infrastructure Library), on the other hand, is an authoritative source of descriptive IT best practices, notably in operations and service management. Neither of these standards, however, is intended to create a sound overall foundation of control — only COBIT is.
Control Objectives for Information and related Technologies (COBIT) was borne out of the efforts of dedicated experienced practitioners who recognized the need to have a series of controls to manage IT. In fact, numerous standards and practices were reviewed to identify the controls that it covers, and it is still evolving.
COBIT actually predates Sarbanes-Oxley (SOX), which is why they had to release their very well-done “Control Objectives for Sarbanes-Oxley” document to help give guidance about what elements of the COBIT framework were needed and how to view the controls needed. If you haven’t read the COBIT SOX document, you should. I recommend it and the full-blown COBIT framework documentation to IT pros who need to learn about controls in-depth and, certainly, it has relevance far beyond Sarbanes-Oxley to include any group who wishes to understand and improve controls inside of IT.
For those looking at COBIT for the first time, remember that there are no detailed tasks and instructions about what to do. As mentioned earlier, this is precisely where ITIL and ISO 17799 come into play. They can fill in the blanks about how to structure processes. For example, ITIL’s Service Support book has a definitive example of Change Management. The trick for practitioners is to select what to do on the basis of your organization’s needs/risks, resources, timeframe, etc.
In summary, people must realize that only COBIT is a true framework. ITIL and ISO 17799 are excellent sources of practice information, but they are not control frameworks. Implementing these controls shouldn’t be viewed as a necessary evil. Use COBIT as your control framework reference and then leverage ITIL and ISO 17799 for process improvement. It is very realistic to expect both compliance and process improvement through your efforts.
Ethics and Artificial Intelligence: Driving Greater Equality
FEATURE | By James Maguire,
December 16, 2020
AI vs. Machine Learning vs. Deep Learning
FEATURE | By Cynthia Harvey,
December 11, 2020
Huawei’s AI Update: Things Are Moving Faster Than We Think
FEATURE | By Rob Enderle,
December 04, 2020
Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 18, 2020
Key Trends in Chatbots and RPA
FEATURE | By Guest Author,
November 10, 2020
FEATURE | By Samuel Greengard,
November 05, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 02, 2020
How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 29, 2020
Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 23, 2020
The Super Moderator, or How IBM Project Debater Could Save Social Media
FEATURE | By Rob Enderle,
October 16, 2020
FEATURE | By Cynthia Harvey,
October 07, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
October 05, 2020
CIOs Discuss the Promise of AI and Data Science
FEATURE | By Guest Author,
September 25, 2020
Microsoft Is Building An AI Product That Could Predict The Future
FEATURE | By Rob Enderle,
September 25, 2020
Top 10 Machine Learning Companies 2021
FEATURE | By Cynthia Harvey,
September 22, 2020
NVIDIA and ARM: Massively Changing The AI Landscape
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
September 18, 2020
Continuous Intelligence: Expert Discussion [Video and Podcast]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 14, 2020
Artificial Intelligence: Governance and Ethics [Video]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 13, 2020
IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI
FEATURE | By Rob Enderle,
September 11, 2020
Artificial Intelligence: Perception vs. Reality
FEATURE | By James Maguire,
September 09, 2020
Datamation is the leading industry resource for B2B data professionals and technology buyers. Datamation's focus is on providing insight into the latest trends and innovation in AI, data security, big data, and more, along with in-depth product recommendations and comparisons. More than 1.7M users gain insight and guidance from Datamation every year.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
