Supporting ITIL v3 with COBIT 4.1

The IT Governance Institute (ITGI) and ISACA, formally known as the Information Systems Audit and Control Association, recently delivered a new publication – ‘COBIT User Guide for Service Managers’. This is the first in a series of publications aimed at providing specific, role-based guidance on COBIT (Control Objectives for Information and related Technology) usage and builds on ISACA/ITGI’s previous COBIT to IT Infrastructure Library (ITIL) mapping documents, the latest being ‘Aligning COBIT 4.1, ITIL v3 and ISO/IEC 27002 for Business Benefit’. Both documents are available for download on the ISACA Web site – – the mapping document is free whilst there is a charge to non-members for the Service Manager Guide.

The Service Manager Guide and mapping document both recognise that there is often confusion between the ITIL and COBIT frameworks, and their adoption and utilisation within a corporate IT Function. An often posed question is ‘Do you use ITIL or COBIT?’, whereas ‘Do you use ITIL and COBIT?’ is more appropriate. It is therefore important for organisations to understand how ITIL and COBIT both ‘overlap’ and differ, and specifically how the latter can be used to support a corporate ITIL implementation.

Whilst ITIL and COBIT were created from different perspectives and by different entities, the Office of Government Commerce (OGC) and ISACA/ITGI respectively, there is substantial commonality. Importantly, it should be recognised that both COBIT and ITIL provide guidance on a range of good (or best) practices for IT Service Management (ITSM).

ITIL can be described as a set of books documenting best practice for ITSM, providing guidance on the provision of quality IT services and the facilities needed to support them. Whereas, the ISACA/ITGI description of COBIT is of supporting IT governance through a framework that helps ensure that: IT is aligned with the business, IT enables the business and maximises benefits, IT resources are used responsibly, and IT risks are managed appropriately. The ethos of COBIT therefore has many similarities with ITIL’s remit for ITSM – ‘aligning IT services to the current and future needs of the business and its clients, to improve the quality of the IT services delivered, and to reduce the long-term cost of service provision’.

Organisations need to understand that ITIL has never been (nor was intended to be) a complete, out-of-the-box solution and does not have to stand alone; in fact, an organisation may struggle to effectively implement ITIL without some form of IT governance framework. Whilst ITIL provides best practices on planning, designing, and implementing effective ITSM capabilities, the addition of COBIT guidance and tools can help an organisation ensure that its ITSM effort is better aligned with the business, and its governance and internal control requirements. A point not to be overlooked here is that IT governance does not only improve internal control but can also be a key facilitator in aligning IT goals with those of the enterprise – a key pillar of ITIL’s raison d’être.

So ITIL and COBIT are complementary rather than competing. COBIT is a framework of policies, processes, procedures, and metrics that can give governance-related direction to IT operations and associated ITIL processes. Importantly, COBIT can help guide an organisation in what should be covered in processes and procedures (whereas ITIL provides guidance on how the processes or procedures should be designed).

Following the logical flow of the COBIT User Guide for Service Managers, COBIT can enhance ITIL-based activity in the following areas: the definition of business and IT objectives and how they relate to each other; the translation of these objectives into usable goals and metrics; the assessment of ITSM process maturity; the enhancement of ITIL processes, particularly in terms of internal control; ITSM-role accountabilities; and the provision of assurance to both internal and external assessors.

Objective and Metric Definition

IT cannot be truly business-aligned without a comprehensive understanding of the enterprise’s strategic objectives and how they affect, and are affected by, existing and future IT service provision. ITIL provides guidance in this area in both the Service Strategy and Service Design books, but COBIT goes one step further. For example, where ITIL provides information on how to define a ‘goal tree’, COBIT offers a generic set of business and IT goals for the user to build upon in creating an enterprise-specific mapping to the IT and ITSM processes needed to deliver against corporate objectives.

This should then be built upon to establish business-aligned IT objectives. COBIT provides a structure to facilitate this, recommending that IT goals are set at three levels: for IT overall, for IT processes, and for the activities within IT processes. By using COBIT’s goal-definition process an organisation is able to create a performance measurement framework that not only ascertains performance outcomes against the desired goals but also offers a basis upon which to drive performance improvement activity. It has the additional ability to ensure that ITIL-based Continual Service Improvement is focused on appropriate processes and activities to deliver the greatest positive impact in respect of business goals.

Process Maturity Assessment

COBIT recognises that different IT organisations are at differing levels of IT and ITSM process maturity; not only from a holistic perspective but also at an individual process level. It provides a maturity model for each IT process, enabling management to benchmark the organisation’s activities against good practices – identifying deficiencies and areas for improvement.

Process Design

ITSM processes should always be tailored to the organisational needs of the enterprise, and hence organisations also need to take an ‘adopt and adapt’ approach with COBIT and ITIL good practices – such that they are both practical and in tune with corporate objectives. In doing this an organisation will notice, if they haven’t already, that ITIL provides guidance on how processes and procedures should be designed whereas COBIT helps to define what should be included within them. Even if an organisation is not designing ITSM processes from scratch, alternatively adopting and adapting from consultant-provided best practices say, it is still worth checking existing process control points against COBIT to ensure the adequacy of internal controls and highlight control-based activities for future corporate compliance initiatives.

Role Accountability

For each IT process, COBIT defines a generic Responsible, Accountable, Consulted, and Informed (RACI) chart, a management model used to help define roles and responsibilities. Each RACI chart highlights the key activities in the process and the responsibilities of individual roles (or role types) to provide an essential element of IT governance. The COBIT RACI charts should be tailored to organisational ITSM processes and roles to supplement existing, probably less-focused, role or job descriptions. They should ensure that both the individuals fulfilling the roles, and those that are dependent upon the activities of these people, know exactly where responsibility and accountability lies.

Assurance Provision

The integration of COBIT with ITIL processes not only allows management to improve processes and control-based elements, it also helps to demonstrate the level of IT governance. With the utilisation of an industry standard set of controls (and common terminology) facilitating the provision of assurance to both internal and external assessors, this potentially reduces the time and effort required from both operational staff and assessors in completing compliance-based initiatives.

ISACA/ITGI’s Aligning COBIT 4.1, ITIL v3 and ISO/IEC 27002 for Business Benefit document provides a bi-directional mapping between COBIT and ITIL. Examples relate to a subset of Service Desk and Incident Management activities: COBIT’s Deliver and Support (DS) – DS8 Manage Service Desk and Incidents, and ITIL v3 Service Operation (SO) Incident Management. Table 1 (removed) details examples of COBIT to ITIL mappings and Table 2 (removed) the reverse.

The mappings can then be used to drill down from the COBIT Control Objectives into specific Control Practices to beef up existing, or proposed, ITIL processes in order to help achieve effective IT governance (the practices are detailed in ‘COBIT Control Practices: Guidance to Achieve Control Objective for Successful IT Governance’). These can be used to create specific process control points that an organisation can measure compliance against. Examples, in the context of the above, are ‘progress in addressing issues identified is tracked to completion’, ‘issue trends are analysed periodically to identify underlying issues and initiate remedial action to address them’, and ‘there is a process for responding to (and where necessary escalating) incidents on a timely basis’.

Not all the COBIT Domains map onto ITIL. There is no reason why, however, an organisation cannot utilise COBIT’s supporting Control Objectives within these Domains to further improve business alignment and IT governance.

So, to summarise, used together ITIL and COBIT can provide the necessary framework of good (or best) practices that enables an IT organisation to visibly align itself with the goals of the business, and effectively manage its resources to enable these goals through the optimised delivery of organisation-needed information and business-enabling IT services.

Republished from


One thought on “Supporting ITIL v3 with COBIT 4.1

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s