ITGL and OGC have released a 131 page management briefing Aligning COBIT 4.1, ITIL V3 and ISO/IEC 27002 for Business Benefit.
This project was developed with the Office for Government Commerce (OGC) to update the very popular management briefing first produced in 2005. The briefing applies generally to all IT best practices but focuses on three specific practices and standards that are becoming widely adopted around the world. It has been updated to reflect the latest versions:
- ITIL V3—Published by the UK government to provide a best practice framework for IT service management
- COBIT 4.1—Published by ITGI and positioned as a high-level governance and control framework over IT processes
- ISO/IEC 27002:2005—Published by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) ato provide a framework of a standard for information security management
Executive Summary
Every enterprise needs to tailor the use of standards and practices to suit its individual requirements. All three standards/practices covered in this guide can play a very useful part—COBIT and ISO/IEC 27002 helping to define what should be done and ITIL providing the how for service management aspects.
The growing adoption of IT best practices has been driven by a requirement for the IT industry to better manage the quality and reliability of IT in business and respond to a growing number of regulatory and contractual requirements.
There is a danger, however, that implementation of these potentially helpful best practices can be costly and unfocused if they are treated as purely technical guidance. To be most effective, best practices should be applied within the business context, focusing on where their use would provide the most benefit to the organization.
Top management, business management, auditors, compliance officers and IT managers should work together to make sure IT best practices lead to cost-effective and well-controlled IT delivery.
IT best practices enable and support:
- Better management of IT, which is critical to the success of enterprise strategy
- Effective governance of IT activities
- An effective management framework of policies, internal controls and defined practices, which is needed so everyone knows what to do
- Many other business benefits, including efficiency gains, less reliance on experts, fewer errors, increased trust from business partners and respect from regulators
The briefing applies generally to all IT best practices but focuses on three specific practices and standards that are becoming widely adopted around the world.
It has been updated to reflect the latest versions:
- ITIL V3—Published by the UK government to provide a best practice framework for IT service management
- COBIT 4.1—Published by ITGI and positioned as a high-level governance and control framework
- ISO/IEC 27002:2005—Published by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) and derived from the UK government’s BS 7799, renamed ISO/IEC 17799:2005, to provide a framework of a standard for information security management
Descriptions of each of these can be found in the main body of the briefing.
Implementation of best practices should be consistent with the enterprise’s risk management and control framework, appropriate for the enterprise, and integrated with other methods and practices that are being used. Standards and best practices are not a panacea; their effectiveness depends on how they have been implemented and kept up to date.
They are most useful when applied as a set of principles and as a starting point for tailoring specific procedures. To avoid practices becoming ‘shelf ware’, management and staff must understand what to do, how to do it and why it is
important.
Implementation should be tailored, prioritized and planned to achieve effective use. This briefing describes some pitfalls that should be avoided.