Wednesday, November 24, 2010

A comparison of the business and technical drivers for ISO 27001, ISO 27002, COBIT and ITIL

Follow trongbang86 on Twitter
About me
Level: Intermediate
Prerequisite: Basic Understanding of ISO 27001, ISO 27002, COBIT and ITIL

Firstly, ISO 27001 is a security standard but COBIT and ITIL are frameworks with best practices. ISO 27001 are often used in conjunction with ISO 27002 because ISO 27001 include only requirements for what needs to be done and ISO 27002 introduces the guideline for doing that.

According to the diagram, COBIT covers more domains than ISO 27001 and ITIL but with little guidance. However, ITIL is easier to do with more checklists and procedures. Besides that, ISO 27001 is a standard so it’s deeper in the domains. Specifically, COBIT has 4 processes and 34 domains, ITIL has 9 processes and ISO 27001 has 10 domains.

Generally speaking, COBIT for measuring and assessing IT controls, ITIL to improve internal IT services, and ISO 27001 for IT governance.
The function of COBIT is to map IT processes to business objectives. ITIL is to address service management. ISO 27001 is to get companies compliant to international standards regarding various aspects of security management such as establishment, implementations and improvement of information security management systems.

COBIT is to maximize the benefits derived through the use of IT with appropriate governance and control by providing managers, auditors with a set of acceptable measures, indicators.
COBIT can provide a systematic approach to identify root causes of deficiencies.

COBIT is business-oriented. COBIT is usually chosen by companies who are performing audit to give their manager an in-depth view of their infrastructure’s efficiency.

ISO 27001 is a standard but ISO 27002 is best practices and it’s really a guideline regarding how to implement ISO 27001. In each domain in ISO 27001, there are specific requirements that companies need to fulfill in order to be compliant but there’s no specific guideline or technical requirements such as which infrastructure must be built, how to build. That’s why ISO 27001 and ISO 27002 often go together.

ITIL is quite similar to COBIT but ITIL is more IT service-based and COBIT is more process-based. In other words, the unit for measuring in ITIL is service but process in COBIT.

According to the website SecurityProcedure, the end result of implementing COBIT is information system audit, for ITIL is manage service level and for ISO 27001 is the compliance to security standard.

From the implementation view, ITIL is probably the easiest one to be implemented because it is best practices with checklists and guidelines. Besides that, ITIL can be implemented partially according to the website SecurityProcedure. Hence, a company can decide to implement one layer first such as IT service delivery layer, IT release management; then it can implement the others in the next year. However, for ISO 27001 and COBIT, it’s unfeasible because they take into account a broad view of the whole system first, and then go to implementation phase. As for ISO 27001, it is a standard related to 3 aspects of a company: people, process and technology; so it requires a deep understanding of the company’s profile. However, the final choice is still up to companies. It actually depends on their budgets and their goals.

ITIL has a more robust certification system for IT professionals. However, there are some criticisms regarding the price of the books. They are not affordable for non-commercial users. In other words, it seems to be too proprietary. For COBIT, it’s not a standard and companies cannot say COBIT compliant. However, ISO 27001 is an information security management system standard and can be compliant to.

Moreover, from a technical view, companies get compliant to ISO 27001 to avoid ad hoc in information security management; to establish, implement and improve continually the system. For COBIT, it’s to map IT goals to business goals and vice versa, to create clear ownership of processes with clear performance indicators. And ITIL is to improve IT services.

COBIT Introduction

CobiT / ISO 20000 / ITIL / ISO 27001                       

The Business Advantages of ITIL

Using iso27001 to your advantage

Follow trongbang86 on Twitter


  1. ISO 27001 Training has a lot of benefits for every company and as an employee. Acquiring this will enhance your expertise to perform an ISMS audit as specified by ISO/IEC 27000:2005 and you will be able to manage an ISMS audit team. Improve the ability to analyze the internal and external environment of an organization, risk assessment and audit decision-making in the context of an ISMS and many more.

  2. Before RS implemented ISO 27001 Download, their security controls addressed only certain aspects of IT or data security, specifically leaving non-IT information assets less protected. After a gap analysis to help identify, manage, and minimize the range of threats that information is regularly subjected to, RS successfully implemented 132 of the 133 controls required by ISO 27001.

  3. COBIT is a framework for developing, implementing, monitoring and improving information technology (IT) governance and management practices.

    COBIT Training Certification Course


There was an error in this gadget