Journal Review (English Version)

Combining ITIL, COBIT, and ISO/IEC 27002
(in Order to Design a Comperhensive IT Framework in Organization)

Introduction

Management is an attempt to direct and control a group of one or more people or entities for the purpose of coordinating and harmonizing them towards accomplishing a special goal . At present Management encompasses several dimension like human resources ,financial resource and technological resource. One new area of management is information technology management (or IT management). It is a combination of two branches of study, information technology and management.

‘Information Technology’ has several definition from different perspective :

- From the first perspective , IT system are application and infrastructure which are components of a larger product. They enable or are embedded in processes and service.

- From the second perspective , IT is an organization with its own set of capabilities and resource. IT organization can be one of various types such as business function , shared service units and enterprise –level core units.

- From the third perspective , IT is a category of service utilized by business . They are typically IT application and infrastructure that are package and offered as service by internal IT organization of external service providers. In this perspective IT cost are treated as business expenses.

- From the fourth perspective , IT is a category of business assets that provide a stream of benefit for their owner , including but not limited to revenue , income and profit. In this perspective IT cost are treated as investment.

All definition emphasize the importance of IT in the organization . therefore it is crucial to manage and implement IT in the organizations. There are several standards , tools , frameworks, and best practice to manage and maintain IT service. The most applicable and widely used such standards are ISO/IEC 27002 in information security. Hence it is better to combine them to make a comprehensive IT framework in the organization . Based on previous studies the best combination should be between laying ITIL , COBIT and ISO/IEC 17799 together . But ITIL de-facto standard and ISO/IEC 17799 standard recently has been refreshed and changed.

ITIL

ITIL (Information Technology Infrastructure Library) is a de-facto standard which introduced and distributed by Office of Government Commerce (OGC) in UK and includes all IT parts of organization. At present ITIL is the most widely accepted approach to IT service Management in the world. It has an iterative, multidimensional and lifecycle form structure. ITIL has an integrated approach as required by the ISO/IEC 20000 standard with following guidance.

• Service Strategy

The service strategy provides guidance on how to design , develop and implement service management form organizational capability perspective and strategic asset. It provides guidance on the principles underpinning the practice of service management which are useful for developing service management policies, guidelines and processes across the ITIL service lifecycle . service strategy guidance is applicable in the context of other parts of ITIL lifecycle. Service strategy covers these parts of IT system : the development of markets , internal and external , service assets, service catalogue and implementation of strategy through the service lifecycle.

• Service Design

It is guidance for the design and development of service and service management processes. It covers design principles and method for converting strategic objective into portfolios of service and service assets. The scope of Service Design is includes the changes and improvements necessary to increase or maintain value to costumer over the lifecycle of service, the continuity of service, achievements of service levels and conformance to standards and regulations. It guides organization on how to develop design capabilities for service management.

• Service Transition

It is  guidance for the development and improvement of capabilities for transitioning new and changed service into operations. Service Transition provides guidance on how the requirements of service strategy encoded in Service Design are effectively realized in Service Operation while controlling the risk of failure and disruption . This part of ITIL framework combines practices in release management , program management and risk management and place them in the practical context of service management.

• Service Operation

Service Operation tries to embody practice in the management of Service Operation. It includes guidance on achieving effectiveness and efficiency in the delivery and support of service so as to ensure value for the customer and the service provider. Strategic objectives are ultimately realized through Service Operation , therefore making it a critical capability.

• Continual Service Improvement

This is including of instrumental guidance in creating and maintaining value for customers through better design , introduction and operation of service. It combines principles , practice and methods from quality management, Change Management and  capability improvement. Organization learn to realize incremental and large-scale improvements in service quality , operational efficiency and business continuity.

COBIT

The control Objectives for Information and related Technology (COBIT) is a set of best practice (framework) for information technology management created by the Information System Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992 . COBIT was released and used primarily by the IT community. Later Management Guidelines were added , and COBIT became the internationally accepted framework  for IT governance and control.

        COBIT provides managers , auditors, and IT users with a set of generally accepted measures , indicators, processes and best practice to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company.

         The COBIT mission is to research , develop, publicize and promote an authoritative , up to date, international set of generally accepted information technology control objective for day-to-day use by business managers and auditors. Managers, auditors ,and users benefit from the development of COBIT because it helps them understand their IT system and decide the level of security and control that is necessary to protect their companies assets through the development of an IT governance model.

COBIT covers four domains:

• Plan and Organize

The Planning and Organization domain covers the use of technology and how best it can be used in a company to help achieve the company’s goals and objective. It also highlights the organizational and infrastructural form IT is to take in order to achieve the optimal results and to generate the most benefits from the use of IT.

• Acquire and Implement

The aim is to identify its IT requirements acquiring the technology and to implement it within the company’s current business processes.

This domain also addresses the development of a maintenance plan that a company should adopt in order to prolong the life of an IT system and its components.

• Delivery and Support

This domain tries to manage delivery service which include:

- Define and Manage Service Levels

-  Manage Third-party Service

-  Manage Performance and Capacity

- Ensure Continuous Service

- Ensure System Security

- Identify and Allocated Costs

- Educated and Train Users

- Manage Service Desk and Incidents

- Manage the configuration

- Manage Problems

- Manage Data

- Manage the Physical Environment

- Manage Operation

• Monitor and Evaluate

The Monitoring and Evaluation domain deals with a company’s strategy in assessing the needs of the company and whether or not the current IT system still meets the objectives for which it was designed and the controls necessary to comply with regulatory requirements. Monitoring also covers the issue of an independent assessment of the effectiveness of IT system in its ability to meet business objective and the company’s control process by internal and external auditors.

ISO/IEC 27002

This is an information security management system (ISMS) standard which is the code of practice for Information Security Management. It list security control objectives and recommended range of a specific security controls.

Organizations that implement an ISMS in accordance with the best practice advice in ISO/IEC 27002 are likely simultaneously to meet the requirements of ISO/IEC 27002, but certification is entirely optional (unless mandated by the organization’s stakeholder).

ITIL related to COBIT

The strength within ITIL is the way processes are described with difference activities and flowcharts to use for target implementation . Cost/Benefit and Implementation issues are also described. There are also guidelines for reviews and Critical Success Factors, but these issues  are better described in COBIT, First of all COBIT is defined by the IT-audit community as a framework highly suitable for authority. COBIT is also stronger when it come to management issues where “Management Guidelines” provides the implementer with a reference where Critical Success Factors are describe together with Key Goal Indicators ,Key Performance Indicators  and Capability Maturity Models (CMM).

When ITIL is benchmarked with COBIT , it has been found that they correspond with each other to a high degree ,especially, when the processes  of COBIT are ITIL based as in its latest version . In spite of different words used for the same issues but they cover the same problem. It is only for incident Management in ITIL that there is not any equivalent in COBIT. This however ,does not mean that it is not covered at all. Instead it may be covered in the other part of the framework or with a different approach. As shown in table therefore it is better to borrow concepts/process, Activities, Cost/Benefits and planning to Implementation from ITIL standard and audits from COBIT to design a comprehensive framework.

ITIL related to ISO/IEC 27002

As already mentioned, ISO/IEC 27002 is used for information security and not just IT issues, With such broad objective it is apparent that ISO/IEC 27002 does not correspond with ITIL as much as ITIL does with COBIT . ISO/IEC 27002 main straight is in its application for ensuring overall security at all levels within an organization.

Problem Management and Configuration Management in ITIL have not any equivalent in ISO 27002. Configuration Management has a huge impact on the IT environment and it should be handled in a secure manner. In addition in ISO/IEC 27002 security is characterized as the preservation of confidentially , integrity and Availability. In ITIL Availability is about quality aspect such as reliability, maintainability , serviceability & resilience. Another important finding in the benchmark it that financial issues are not handled at all in ISO/IEC27002 ,instead it is about only risk management, i.e. the implementer should mitigate risks to avoid costs. ITIL on the other hand , is about financing and cost allocation for the delivery of IT-services.

Therefore it is better to borrow Information Security process from ISO/IEC 270002 in designing a comprehensive framework.

Conclusion

In every organization today, IT service must be delivered in a cost efficient manner, mitigating security risk and complying with legal requirements. The equation is difficult to handle and in some cases it seems like an  impossible mission . To be able to survive in this environment a combination of ITIL, COBIT and ISO/IEC 27002 can be value able for organization targets , Implementers should use ITIL to define strategies , plans and processes, use COBIT for metrics, benchmarks and audits and use ISO/IEC 27002 to address security issues to mitigate the risk as below in Table 2.

ITIL	COBIT	ISO/IEC 27002
Concepts/process	Critical Success Factors	Information Security
Activities	Metric (CSF,KPI)
Cost/Benefits	Benchmarking (CMM)
Planning for Implementation
	Audit