Everyone’s been complaining about Sarbanes-Oxley and other government induced compliance formulae for several years now (everybody, of course, except the auditors and consultants who make a ton of money on compliance and related activities). Technology has become part of the compliance process in some very important ways. Let’s talk about the role that IT governance plays in compliance and the frameworks out there to help us all stay legal.
The Control Objectives for Information and Related Technology (COBIT) framework — according to the Information Systems Audit and Control Association (ISACA) — is:
“An IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues, and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.”
According ITIL and ITSM World, ITIL (the IT Infrastructure Library):
“Consists of 6 sets: Service Support; Service Delivery; Planning to Implement Service Management; ICT Infrastructure Management; Applications Management; The Business Perspective. Within these a variable number of very specific disciplines are described.
“Although the UK Government actually created ITIL via the CCTA, it is rapidly being adopted across the world as the standard for best practice in the provision of IT Service. Although ITIL covers a number of areas, its main focus is certainly on IT Service Management (ITSM).
“IT Service Management (ITSM) itself is generally divided into two main areas, Service Support and Service Delivery. Together, these two areas consist of 10 disciplines that are responsible for the provision and management of effective IT services.”
I must admit that several years ago I wasn’t a huge fan of these frameworks, but I have come around primarily because I’ve seen large and medium-sized organizations use them effectively. I’m especially happy about the readiness of our industry to implement the frameworks. Trends like hardware standardization, common software architectures and well-defined support processes have made it possible to use frameworks to monitor and leverage technology.
So what’s going on with these frameworks?
First and foremost, the adoption of ITIL and COBIT is part of the maturation of the technology profession. Both frameworks embed best business technology management practices. Do they relate to each other? Yes, COBIT is a higher-level business value framework while ITIL is a lower level infrastructure service performance framework. The ideal configuration is a combination of both frameworks where ITIL measures internal technology efficiencies and COBIT interprets them in the context of business value. In fact, the latest versions of these frameworks talk to each other enabling integration.
Like so many governance frameworks, tools, concepts and ideas, COBIT and ITIL have gained notoriety recently because of their contribution to regulatory compliance. IT auditors are encouraging their clients to think about these frameworks to improve compliance — and make everyone’s life easier. While compliance is a nice by-product of their use the primary reason for framework adoption is business technology discipline.
So where are you on this governance, compliance path? Have you examined COBIT and ITIL? They’re worth a look. Not only will they keep the IT auditors at bay, they’ll help you manage your technology and better connect its performance to business outcomes. Just make sure you track what the consultants are doing.