Best practice, practice, practice

COBIT is a proven standard that can help with compliance, business accountability and auditing.

In general, IT executives implement best practices because they need to increase IT predictability and efficiency, reduce support costs, improve customer service quality or meet regulatory requirements.

The two most well-known standards - the IT Infrastructure Library (ITIL) and the Control Objectives for Information and related Technology (COBIT) - have existed for at least 10 years, support a broad range of management  services, are sponsored by very well-respected organizations (COBIT by the IT Governance Institute and ITIL by the IT Service Management Forum) and have been implemented by thousands of organizations of all sizes.

However, COBIT and ITIL are very different in their orientation, definition, classes of problems they address and the specific implications regarding "implementation."

The COBIT standard, which the IT Auditors Association first released in 1996, was designed with business accountability and auditability in mind. For example, a frequent application of COBIT is control definition that helps businesses comply with federal government mandates, such as the Sarbanes-Oxley Act.

Think of a control as a logical safety valve designed to ensure that a specific operation that supports the creation of production financial data executes as intended, without introducing any erroneous or fraudulent data that could compromise the quality of the company's financial reporting.

An example is a set of traceable (and auditable) flows across one or more production applications that reliably increase product inventory when shipments are received from suppliers and decrease product inventory when finished products are shipped to customers. An example of an IT control is the installation of anti-virus software on every new desktop that is installed within a specific facility, along with the ongoing distribution of new virus signatures to each licensed desktop.

IT control definition, testing and progress measurement are task categories that are natural COBIT strengths. The COBIT model is very specific in its definition of the processes and the auditable controls that need to be in place to ensure reliable and predictable IT processes.

The processes defined in COBIT are grouped into four separate domains that align with the IT implementation cycle. They are: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring.

Each of the 34 processes also has its own assigned number within its parent domain for identification. For example, Problem Management controls and their associated metrics are the 10th process defined in the Delivery and Support domain, while Change Management is the sixth process defined within the Acquisition and Implementation domain.

The definition of each COBIT process also clearly states the control objectives of the process, the critical success factors needed to successfully implement the process, specific quantitative metrics that can be used to measure process quality improvement and a process-specific maturity model that defines the process functionality that progresses from predominantly manual to fully automated and optimized.

In addition, process-specific success factors and quantitative improvement metrics (referred to as the Key Goal Indicators and Key Performance Indicators) are also defined. These can be used as part of a continuous improvement process.

As defined by its authors, COBIT's Management Guidelines are broadly applicable to all major product segments (network, server, storage, application and desktop) within the networked application infrastructure. They are also action-oriented and very relevant to addressing a number of key questions that often are asked when the focus is improving IT governance. This includes:

•  How far should we go, and does the benefit justify the cost?

•  What are the indicators of good performance?

•  What are the critical success factors?

•  What are the risks of not achieving our objectives?

•  What do others do? How do we measure and compare?

Specific guidelines for support process maturity improvement can help answer some of these questions by providing an objective and measurable set of criteria for assessing the state of current processes, and determining the steps required to achieve and quantify measurable improvement.


COBIT and ITIL are more complementary than they are competitive.

COBIT focuses on the definition, implementation, auditing, measurement and improvement of controls for specific processes that span the entire IT implementation life cycle. As such, it is an excellent reference model for IT governance across the entire implementation life cycle.

The primary focus of ITIL is to provide best practice definitions and criteria for operations management. More specifically, ITIL primarily focuses on defining the functional, operational and organizational attributes that need to be in place for operations management to be fully optimized in two key categories. These categories are called Service Support Management and Service Delivery Management, each of which has a number of supporting subcategories.

The management subcategories for Service Support Management include Service Desk, Incident, Problem, Configuration, Change and Release management, while those for Service Delivery Management include Service Level, Financial, Capacity, Service Continuity and Availability.

Each subcategory definition includes best practice criteria for many areas, including organizational support, cross management component integration, management reporting, product capability, implementation quality and customer service quality.

If your goal is improving the quality and measurability of IT governance across the entire networked application implementation life cycle or implementing a control system for improved regulatory compliance, COBIT probably would be a more effective choice.

On the other hand, if the objective is to continuously improve IT operations efficiency and IT customer service quality, ITIL would probably be the better bet.

However, one should not look at these comparisons as a COBIT vs. ITIL analysis. It's important to understand the design center differences of each approach and adapt them as needed to meet the specific requirements of your own unique environment.

Given the substantial implementation experience with both standards that exists in the industry today, you'll have plenty of peers to call on for advice. The even better news is that, unlike hardware or software products, their acquisition cost is extremely low.

Morency is a managing director of Transitional Data Services, a service provider in Hopkinton, Mass., that specializes in IT orchestration for small and midsize companies. He can be reached at

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2005 IDG Communications, Inc.