ITIL, Cobit and ISO27001

If you've done your research into current IT certifications, you'll see that Information Technology Infrastructure Library, or ITIL, is near the top of many lists. ITIL practices are designed to help companies identify areas where they need improvement, providing vendor-neutral guidelines on where to make specific changes to reduce costs and increase productivity.For example, you may use ITIL practices to reduce helpdesk traffic by implementing self-help sections on your company's website or you may use ITIL guidelines to decide whether something is done in-house or by a third-party.

Keep in mind: ITIL is not a tool but rather a set of best practices pertaining to IT service and lifecycle management.

The History of ITIL

Before we delve into whether you should implement ITIL practices, let's step back and look at its roots.

In the 1980s, the U.K.'s Government's Central Communications and Telecommunications Agency (CCTA) formulated a set of recommendations that was designed to provide a "practical, no-nonsense framework for identifying, planning, delivering and supporting IT services to the business."

ITIL began as a library consisting of books that discussed specific IT service management best practices, based on recommendations from the CCTA.

After its initial publication Version 1 of ITIL consisted of more than 30 volumes from 1986 to 1996. In 2000/2001, ITIL Version 2 was consolidated into eight sets of books that grouped related process guidelines for the various aspects of IT, namely services, applications and management. In April of 2001, the CCTA was merged into the Office of Government Commerce (OGC).The OGC announced ITIL Version 3--now known as the ITIL 2007 Edition--in May of 2007. It consisted of 26 processes and functions and contained in five core publications:

1. Service Strategy
2. Service Design
3. Service Transition
4. Service Operation
5. Continual Service Improvement

In July of 2011, ITIL was updated again. This update provided additional guidance with the definition of formal processes that were not previously well-defined, and corrected various errors and inconsistencies that had crept in over the years.

At this point, the OGC was no longer listed as the owner of ITIL, and it was consolidated into the Cabinet Office. The 2011 edition of ITIL is owned by the HM Government. As of January 31, 2012, ITIL certification exams have focused on the ITIL 2011 syllabus (the core principles of ITIL practices for Service Management), rather than that of the ITIL 2007 Edition.

The ITIL Qualification Scheme and Credit System

The ITIL Qualification Scheme uses a modular credit system called the ITIL Credit System. All ITIL and ITIL-related qualifications within the ITIL Credit System are assigned a specific credit value. As those credits are applied, the applicant qualifies to test for a higher level of certification. There are five levels of qualifications within the ITIL Qualification Scheme that include the following:

• ITIL Foundation, which scores candidates with 2 credits, consists of 40 multiple-choice questions. No prerequisites are required to take this examination. It deals with key elements, concepts and terminology associated with ITIL service lifecycle management.
• ITIL Intermediate Level, which scores the candidate with 15 or 16 credits, is open to candidates who have already passed the ITIL Foundation exam and have completed an accredited training course. The intermediate level includes two elements: Service Lifecycle examinations: Service Strategy, Service Design, Service Transition, Service Operation, and Continual Service Improvement as well as Service Capability examinations: Planning Protection and Optimization, Release Control and Validation, Operational Support and Analysis, and Service Offerings and Agreements.
• ITIL Managing Across the Lifecycle (MALC), which scores the candidate with 5 credits, requires the candidate to have passed the ITIL Foundation exam, along with an additional 15 credits from passing ITIL Intermediate exams, giving them a minimum of 17 credits in order to take this exam. This is also the gateway exam to achieve ITIL Expert Level.
• ITIL Expert Level requires the candidate to have accumulated 22 credits that have been gained by passing the ITIL Foundation, Intermediate Level and MALC exams.

ITIL Master Qualification requires the candidate to already be ITIL Expert-level qualified. To achieve the ITIL Master Qualification, candidates must "explain and justify how they selected and individually applied a range of knowledge, principles, methods and techniques from ITIL and supporting management techniques, to achieve desired business outcomes in one or more practical assignments."When a candidate completes a given level of the ITIL examination, he or she is given the certification and the attributed credits. Each level of certification has its own requirements, all of which include earning a specific number of credits.

ITIL Complementary Qualifications

Fortunately, the ITIL Credit System provides credits for other IT certifications (called ITIL Complementary Qualifications) the applicant has passed, including these:

• Problem Analyst, an APMG-International qualification teaches candidates how to prevent problems and incidents from happening. This qualification is worth 1.5 credits.
• Lean IT, an APMG-International qualification, teaches candidates how to create a value-oriented, customer-centric culture, while removing waste, inflexibility and variability. This qualification carries 0.5 credits.
• ISO/IEC 20000, an APMG-International certificate, enables companies to demonstrate excellence and prove best practice in IT management. It is worth 1.5 credits.
• Service Catalogue is an APMG-International certification for those who already have an ITIL Foundation certificate. It teaches applicants how to control demand, publish and track service pricing and cost as well as automate service request management and fulfillment. This qualification is worth 1.5 credits.
• IT Service Management Foundation is an EXIN and Tuev-Sued IT Service Management Foundation based on ISO/IEC 20000. It focuses on the core principles, practices and processes of a quality approach to IT Service Management and is worth 1 credit.
• Certified Process Design Engineer (CPDE), an LCS certification, focuses on the assessment, design, implementation, integration and management of IT Service Management processes. This qualification is worth 1.5 credits.
• BCS Specialist Qualifications in IT Service Management covers a broad range of industry practices including ITIL, COBIT, ISO/IEC 20000 and SFIA/SFIA. Six BCS-ISEB Specialist Qualifications are available: Specialist Certificate in Service Desk and Incident Management, Specialist Certificate in Change Management, Specialist Certificate in Service Level Management, Specialist Certificate in Business Relationship Management, Specialist Certificate in Problem Management and Specialist Certificate in Supplier Management. Each certificate earns 1.5 credits.
• Configuration Management Database - This APMG-International certification, teaches candidates how to identify, control, report, audit and verify the service assets and CIs of a CMDB, and carries 1.5 credits.
• Change Analyst is another APMG-International qualification that teaches candidates how to assess, authorize and manage changes within an IT service environment. This qualification earns 1.5 credits.
• Sourcing Governance Foundation (SGF), an APMG-International qualification, teaches the main concepts of Outsourcing and Sourcing Governance and how to apply them. This qualification is worth 1 credit.
• BiSL, an APMG-International qualification, makes candidates familiar with a framework that was created to establish a business information management domain. It also teaches how to actively manage, maintain and support the functionality of information systems. This qualification is worth 0.5 credits.
• ASL2, an APMG-International qualification, focuses on the best practices for designing and carrying out effective application management, including the management, maintenance and upgrading of applications. This qualification is worth 1 credit.

Note: A maximum of six credits from ITIL Complementary Qualifications can be applied towards the ITIL Expert certification.

The official site of ITIL features a tool called the ITIL Credit Profiler, which helps potential candidates determine the total credit value they have attained, and provides them with general guidance on additional certificates they may want to obtain, based on their specific career objectives.

ITIL Certification Management Board

ITIL exams are provided at three levels: Foundation, Practitioner and Manager. The certifications themselves are managed by the ITIL Certification Management Board, or ICMB. Originally, the ICMB included representatives from various international organizations, including the U.K. OGC, APMG, the Stationery Office (TSO), ITIL Examination Panel and Examination Institutes (EIs).In 2006, however, the OGC, which owned the ITIL trademark, turned over the management of the ITIL trademark and the accreditation of examination providers to the APM Group. The APMG then contracted with EXIN, BCS/ISEB, Loyalist Certification Services, PeopleCert Group and other certification bodies, accrediting them as the official examination bodies.

These official organizations are now able to accredit official ITIL training providers and offer ITIL exams. Here is a list of accredited ITIL training partners as provided by the official ITIL site.

Each accredited certification organization uses the same questions, from the same question bank that was developed by the APMG. Only accredited training organizations are allowed to advertise, market and/or deliver ITIL certification courses to applicants.

Accredited Training Organizations and Examination Institutes

There are a number of Accredited Training Organizations (ATOs)--those that have been fully accredited by an approved Examination Institute)-- that provide ITIL certification courses, both online and in person. A full listing of ATOs is provided here.

Additionally, there are many examination institutes (EI) that are accredited by APMG. These examination institutes are allowed to provide an ITIL examination scheme through specific accredited training organizations, and accredited trainers with accredited materials. A list of official Examination Institutes (EI) is also provided by the official ITIL site.

COBIT

Information is an increasingly important resource that organisations compete with by creating better products and services ahead of their rivals. So ensuring that organisations manage information correctly is a business imperative.

COBIT 5 is a globally-recognised and comprehensive business-focused framework that helps organisations make the best use of their information and technology by providing a governance and management framework for enterprise IT.

Simply put, it does this by helping organisations create optimal value from their IT by maintaining a balance between realising benefits and optimising risk and resource usage. The COBIT 5 framework consists of a process reference model, a series of governance and management practices, and a set of enabler tools to support the governance of an organisation.

In summary this is about providing guidance for making decisions concerning the use of information and technology to support organisational objectives and also to sustain them.

COBIT 5 enables IT to be governed and managed across the entire organisation by considering the IT-related interests of internal and external stakeholders such as business users and management as well as outsource service providers and regulators.

COBIT 5 was created to help organisations achieve:

• Value creation through effective and innovative use of enterprise IT
• Business user satisfaction with IT engagement and services
• Compliance with relevant legislation, regulations, contractual agreements, policies and standards
• Closer alignment of business needs and IT objectives

COBIT 5 is based on 5 principles that enable the organisation to build an effective governance and management framework that optimises information and technology investment and usage of IT for organisations of all sizes across the commercial, not-for-profit and public sectors.

COBIT® 5 is a registered trademark of ISACA in the United States and other countries. ISACA neither supports nor endorses these videos.

The COBIT framework

The business orientation of COBIT consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement, and identifying the associated responsibilities of business and IT process owners.

The process focus of COBIT 4.1 is illustrated by a process model that subdivides IT into four domains (Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate) and 34 processes in line with the responsibility areas of plan, build, run and monitor. It is positioned at a high level and has been aligned and harmonized with other, more detailed, IT standards and good practices such as COSO, ITIL, BiSL, ISO 27000, CMMI, TOGAF and PMBOK. COBIT acts as an integrator of these different guidance materials, summarizing key objectives under one umbrella framework that link the good practice models with governance and business requirements.

The COBIT 4.1 framework specification can be obtained as a complimentary PDF at the ISACA download website. (Free self-registration may be required.)

COBIT 5 was released in April 2012.^[4] COBIT 5 consolidates and integrates the COBIT 4.1, Val IT 2.0 and Risk IT frameworks, and draws from ISACA's IT Assurance Framework(ITAF) and the Business Model for Information Security (BMIS). It aligns with frameworks and standards such as Information Technology Infrastructure Library (ITIL),International Organization for Standardization (ISO), Project Management Body of Knowledge (PMBOK), PRINCE2 and The Open Group Architecture Framework (TOGAF).

Releases

COBIT has had five major releases:

• In 1996, the first edition of COBIT was released.
• In 1998, the second edition added "Control".
• In 2000, the third edition was released "Management Guidelines".
  • In 2003, an on-line version became available.
• In December 2005, the fourth edition was initially released.
  • In May 2007, the 4.1 revision was released.
• COBIT 5 was released in June 2012. It consolidates and integrates the COBIT 4.1, Val IT 2.0 and Risk IT frameworks, and also draws significantly from the Business Model for Information Security (BMIS) and ITAF.
  • In December 2012, one add-on document was released, COBIT 5 for information security.^[5]
  • In June 2013, a second add-on document was released, COBIT 5 for assurance.

Components

The COBIT components include:

• Framework: Organize IT governance objectives and good practices by IT domains and processes, and links them to business requirements
• Process descriptions: A reference process model and common language for everyone in an organization. The processes map to responsibility areas of plan, build, run and monitor.
• Control objectives: Provide a complete set of high-level requirements to be considered by management for effective control of each IT process.
• Management guidelines: Help assign responsibility, agree on objectives, measure performance, and illustrate interrelationship with other processes
• Maturity models: Assess maturity and capability per process and helps to address gaps.

Other ISACA Publications based on the COBIT framework include:

• Board Briefing for IT Governances, 2nd Edition
• COBIT and Application Controls
• COBIT Control Practices, 2nd Edition
• IT Assurance Guide: Using COBIT
• Implementing and Continually Improving IT Governance
• COBIT Quickstart, 2nd Edition
• COBIT Security Baseline, 2nd Edition
• IT Control Objectives for Sarbanes-Oxley, 2nd Edition
• IT Control Objectives for Basel II
• COBIT User Guide for Service Managers
• COBIT Mappings (to ISO/IEC 27002, CMMI, ITIL, TOGAF, PMBOK etc.)
• COBIT Online

What is ISO   27001?

ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.

According to its documentation, ISO 27001 was developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system."

ISO 27001 uses a topdown, risk-based approach and is technology-neutral. The specification defines a six-part planning process:

1. Define a security policy.
2. Define the scope of the ISMS.
3. Conduct a risk assessment.
4. Manage identified risks.
5. Select control objectives and controls to be implemented.
6. Prepare a statement of applicability.

The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. The standard requires cooperation among all sections of an organisation.

The 27001 standard does not mandate specific information security controls, but it provides a checklist of controls that should be considered in the accompanying code of practice, ISO/IEC 27002:2005. This second standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.

ISO 27002 contains 12 main sections:

1. Risk assessment
2. Security policy
3. Organization of information security
4. Asset management
5. Human resources security
6. Physical and environmental security
7. Communications and operations management
8. Access control
9. Information systems acquisition, development and maintenance
10. Information security incident management
11. Business continuity management
12. Compliance

Organisations are required to apply these controls appropriately in line with their specific risks. Third-party accredited certification is recommended for ISO 27001 conformance.

Other standards being developed in the 27000 family are:

• 27003 – implementation guidance.
• 27004 - an information security management measurement standard suggesting metrics to help improve the effectiveness of an ISMS.
• 27005 – an information security risk management standard. (Published in 2008)
• 27006 - a guide to the certification or registration process for accredited ISMS certification or registration bodies. (Published in 2007)
• 27007 – ISMS auditing guideline

Source: The ISO Survey of Management System Standard Certifications

 

Analyse in Relation between ITIL, COBIT, CMMI and TOGAF

Firstly check out relation between ITIL and Cobit, TOGAF and ITIL then we will do a general analysis between ITIL, COBIT, CMMI and TOGAF.

 

Relation Between ITIL and Cobit

IT organizations are facing the challenging, but necessary, transition to manage IT based on business priorities. They are looking to frameworks, such as ITIL and COBIT, to help them meet the challenge, but there is some confusion about how best to use them. ITIL and COBIT are complementary and can be used together to facilitate the transition to Business Service Management. ITIL provides a framework for best practice processes in ITSM that help IT manage resources from a business perspective. COBIT provides the framework for setting business goals and objectives, and measuring the progress of “ITIL-izing” the organization to meet those goals and objectives.

With the combination of ITIL and COBIT, IT can meet business objectives and reap the resulting rewards, including the delivery of higher quality business services at lower costs to the organization.

 

Relation Between TOGAF and ITIL

At first glance one could think that activities described in TOGAF are to a large extent covered by ITIL as well. Further reading, however, shows that in ITIL, especially when it comes to architectural activities or concepts, the theory on architecture is not so coherent and well thought through as in TOGAF.

Both frameworks are a set of best or good practices. Furthermore, they both contain an extended version of Deming’s quality cycle. In TOGAF it is referred to as the ‘Architecture Development Method (ADM)’ and in ITIL it is dubbed the ‘IT Service Lifecycle’. Another similarity between the frameworks is that they both originated in IT, thus explaining to a large degree why integration of both frameworks with the business is not yet a common practice. Besides a number of similarities between the frameworks, there are also a number of differences. Although both frameworks contain a quality loop, these loops do not completely overlap. The two main differences are:

Developing business architecture is part of the TOGAF • framework (as demonstrated in Phase A). The scope of ITIL is limited to developing an effective and efficient IT department, whilst developing business architecture is out of scope in ITIL.

Running IT operations and delivering actual IT services are • within the scope of ITIL (as demonstrated in the Service Operation volume). TOGAF does not cover the development and maintenance of a run time environment. How services are actually produced and delivered is not covered in TOGAF. After an IT solution has become part of the operational environment, it turns into (part of) one or more services, with which TOGAF is not concerned.

 

Relation Between ITIL, COBİT, CMMI and TOGAF

ITIL, CMMI, TOGAF and COBIT have profound influence and reach in the IT industry globally, serving as defining frameworks for wide sections of IT practice. The frameworks are often utilized as stringent criteria for awarding contracts and assessing maturity, risk, and performance. Training ecosystems have arisen, and books, conferences, and research revolve around them. All essentially serve to define and stabilize much IT terminology and direct it towards a common description of IT practice.

ITIL, COBIT, TOGAF and CMMI also contain an inestimable amount of valuable and hard won industry insight. Any of them could be re-engineered to be more consistent with BPM(Business Process Management) approaches, while retaining their previous value. Doing so would make them both simpler and more powerful, as well as easier to implement. This in turn could lead to improved IT performance and success for its practitioners and partners.

Resources

http://www.itil-officialsite.com/

http://www.pinkelephant.com/AboutPink/

http://searchsecurity.techtarget.co.uk/definition/ISO-27001

https://en.wikipedia.org/wiki/COBIT

http://advisera.com/27001academy/what-is-iso-27001/

http://www.isaca.org/COBIT/Pages/Information-Security-Product-Page.aspx