ITIL and COBIT -

Similarities, Differences and Interrelationships

Welcome, Introduction & Agenda

January 13, 2004

Lead By: Greg Hines

Pepperweed Consulting
greg.hines@pepperweed.com

1
The Business of IT.
Delivered.

Session Objective

• Learn the basics of ITIL and COBIT

• Understand the scope of ITIL and COBIT
• Discuss where ITIL and COBIT overlap (and do not!)

2
The Business of IT.
Delivered.

1
Agenda
Welcome
• Agenda
• Introduction

ITIL Overview

COBIT Overview

Similarities and Differences

Wrap Up and Questions

3
The Business of IT.
Delivered.

About the Presenter

• Degreed accountant with 20+ years of IT experience
• Staff account with Deloitte Haskins + Sells
• Senior consultant with Price Waterhouse
• 8 years as an independent consultant in service management
process and software tools, much of it as a contractor for IBM world-
wide
• Clients in the US, Europe and Asia
• Currently a Consultant with Pepperweed Consulting

4
The Business of IT.
Delivered.

2
About Pepperweed Consulting
Pepperweed was founded in 1996 by IT professionals who recognized a
need for quality IT management tools, and specialists peaked in their
implementation and use. Recently listed as one of the Inc. 500 fastest
growing privately held companies, Pepperweed helps IT organizations
extend their service capabilities drawing from the following product and
service portfolio:

• IT infrastructure and process consulting

• Deployment and configuration of industry leading IT management
solutions
• Off-the-shelf enhancements/extensions to industry leading IT
management solutions
• Telephone and on-site technical support

5
The Business of IT.
Delivered.

Overview of the Information Technology Infrastructure Library

6
The Business of IT.
Delivered.

3
Information Technology Infrastructure Library

Introduction of the ITIL Library

• History of ITIL
• Objective of ITIL
• Popularity of ITIL

Terms
• IT infrastructure
• Processes

Characteristics of ITIL

Strategic, tactical and operational perspectives

7
The Business of IT.
Delivered.

In the late 1980's the British government asked the CCTA

(now the OGC) to structure the IT organizations of the
British government agencies.

CCTA is the Central Computer and Telecommunications

Agency, an agency of the UK government's Cabinet Office.
CCTA's aim is to help customers to improve the delivery of
their service through the best possible use of IT.

http://www.itil.co.uk/

The aims of CCTA in developing the IT Infrastructure Library are:

• To facilitate the quality management of IT services and in doing so increase the efficiency
with which the corporate objectives and business requirements are met.
• To improve efficiency, increase effectiveness, and reduce risks.
• To provide codes of practice in support of total quality.
• Today ITIL is managed by the Office of Government Commerce (OGC).

8
The Business of IT.
Delivered.

4
ITIL Books

Support IT Services
Deliver IT Services

Manage Applications

Business Perspective Manage the Infrastructure

9
The Business of IT.
Delivered.

Additional Titles Now Available:

Software Asset Management (ISBN 0113309430)

Planning to Implement Service Management (ISBN 0113308779)
Security Management (ISBN 011330014X)

Scheduled for March, 2005:

The Business Perspective: Volume 2

Service Support (ISBN 0113300158)

Service Delivery (ISBN 0113300174)
ICT Infrastructure Management (ISBN 0113308655)
Application Management (ISBN 0113308663)
The Business Perspective: Volume 1 (ISBN 0113308949)

10
The Business of IT.
Delivered.

5
ITIL describes the IT Service Organization that delivers
the agreed upon services and maintains the
infrastructure on which these services are delivered.

Customers

Users
Requirements
Market/Legal

IT Service Organization

Suppliers / Subcontractors

11
The Business of IT.
Delivered.

Main Characteristics of ITIL are:

Business orientation

User focused

High level (“helicopter view”)

Provides a common language for IT service management processes

Independent of organizational structures, architectures or technologies

12
The Business of IT.
Delivered.

6
 ITIL Process Overview
Demand
Management Performance Management
Capacity Management
Delivery

Relationship Mgr
Service

Availability Management

Customer
Service SLA
Entry Financial Management for IT
Management
Point IT Svc Continuity
Management
Security Management
Customer
Support

Service Desk
Service

Service Incident Problem Change

Management
Release
Entry Management Management Management
Point

User
Expectation
Management

Configuration Management
13
The Business of IT.
Delivered.

The most widely used processes of the IT Infrastructure

Library and the scope of this session are the Service
Support ...

Configuration Management
Provide a logical model of the IT Infrastructure by identifying, controlling, maintaining
and verifying the versions of all Configuration Items.

Service Desk
Central point of contact between users and the IT Service Organization.

Incident Management
Restore normal service operations as quickly as possible.

Problem Management
Prevent and minimize the adverse effect on the business of errors in the IT
Infrastructure.

14
The Business of IT.
Delivered.

7
The most widely used processes of the IT Infrastructure
Library and the scope of this session are the Service
Support ...

Change Management
Ensure standardized methods and procedures are used for efficient prompt and
authorized handling of all changes in the IT Infrastructure.

Release Management
Ensure that all technical and non-technical aspects of a release are dealt with in a
coordinated approach.

15
The Business of IT.
Delivered.

Service Delivery …

Service Level Management

Maintain and improve IT service quality through a constant cycle of agreeing,
monitoring, reporting and reviewing IT service achievements.

Availability Management
Optimize the capability of the IT Infrastructure and supporting organization to deliver a
cost effective and sustained level of availability to satisfy business objectives.

Capacity Management
Ensure that capacity and performance aspects of the business requirements are
provided timely and cost effectively.

IT Service Continuity Management

Ensuring that the required IT technical and service facilities can be recovered within
the time scales required by Business Continuity Management.

Financial Management for IT Services

Provide cost effective stewardship of IT assets and resources used in providing IT
services.

16
The Business of IT.
Delivered.

8
and Security Management.

Security Management
Managing a defined level of security for information and IT Services.

17
The Business of IT.
Delivered.

The acceptance of ITIL has three critical success factors,

two of which have a world wide impact

ITIL methodology is available ITIL has been adopted by

to anyone and is managed by world wide solutions vendors
government and non-profit and large globally operating
organizations. organizations.

Build quality
IT processes
with ITIL.

There are many ITIL

books and printed
resources.
18
The Business of IT.
Delivered.

9
IT Infrastructure

ITIL defines IT infrastructure as all hardware, software, documentation,

contracts and procedures that are necessary to provide IT services to
users.

Procedures and
documentation

Hardware and Software

19
The Business of IT.
Delivered.

Processes are the central point within ITIL. A process is

a series of related activities, that takes an input, adds
value to it, and produces an output for a user.
Control
• Policies
• Budgets
• ...

Input Process Output

• Incidents • Resolved incidents

• Requests • Changed
• Requirements environments
• Alerts • A report
• ...

Resources
• People
• Tools
• Knowledge
• ...
20
The Business of IT.
Delivered.

10
ITIL processes cross organizational boundaries.

• Cross-boundary
processes often cause
the most real-world
challenges.
• Process owner will
need assistance from
an area where the
owner lacks control.
• Process owner needs
an escalation path
when a resource does
not deliver.

21
The Business of IT.
Delivered.

ITIL Process Coverage

ITIL

22
The Business of IT.
Delivered.

11
The processes covered in this session are primarily the
operational and tactical processes of service support,
service delivery.

Service Support (deals with day to day issues,

operational)
• Configuration Management
• Service Desk
• Incident Management
• Problem Management
• Change Management
• Release Management

Service Delivery (deals with medium to long term

planning, tactical/strategic)
• Service Level Management
• Availability Management
• Capacity Management
• IT Service Continuity Management
• Financial Management for IT Services

23
The Business of IT.
Delivered.

ITIL and day-to-day work

ITIL is nothing new, all IT professionals do it in their day-to-day

work.
• Resolving incidents and problems
• Creating change requests
• Software development
• Software releases
• Hardware and software research

24
The Business of IT.
Delivered.

12
Overview of COBIT (Control OBjectives for Information and related
Technology)

25
The Business of IT.
Delivered.

COBIT

Introduction to COBIT
• History of COBIT
• Objective of COBIT

Terms
• IT infrastructure
• Processes

Characteristics of ITIL

Strategic, tactical and operational perspectives

26
The Business of IT.
Delivered.

13
History of COBIT
1996 - COBIT was developed by ISACF (Information Systems Audit and
Control Foundation)
1998 – Founding of the ITGI (IT Governance Institute)
1998 – ITGI begins an initiative for better IT Governance, focused around
COBIT

http://www.isaca.org http://www.itgi.org

27
The Business of IT.
Delivered.

COBIT Publications

28
The Business of IT.
Delivered.

14
COBIT Publications

Executive Summary – explains COBIT’s key concepts and principles

Management Guidelines - maturity models, critical success factors,

key goal indicators and key performance indicators. These are
intended to help answer the questions of immediate concern to all
those who have a stake in enterprise success.

Framework - explains how IT processes deliver the information that

the business needs to achieve its objectives. Presented are 34
high-level control objectives, one for each IT process, contained in
the four domains. Also discussed are the seven information criteria
(effectiveness, efficiency, confidentiality, integrity, availability,
compliance and reliability), as well as which IT resources (people,
applications, technology, facilities and data) are important for the IT
processes to fully support the business objective.

29
The Business of IT.
Delivered.

COBIT Publications

Audit Guidelines – outlines and suggests actual activities to be

performed corresponding to each of the 34 high-level IT control
objectives.

Control Objectives - provides insight required to delineate a clear

policy and good practice for IT controls. Included are the
statements of desired results or purposes to be achieved by
implementing the 318 specific, detailed control objectives
throughout the 34 high-level control objectives.

Implementation Tool Set - contains management awareness and IT

control diagnostics, implementation guide, frequently asked
questions, case studies from organizations currently using COBIT
and slide presentations that can be used to introduce COBIT into
organizations. The tool set is designed to facilitate the
implementation of COBIT , relate lessons learned from
organizations that quickly and successfully applied COBIT in their
work environ-ments and assist management in choosing
implementation options.

30
The Business of IT.
Delivered.

15
COBIT Publications

All publications can be purchased and downloaded from the ISACA

bookstore (www.isaca.com) and are also available on a CD-ROM.

31
The Business of IT.
Delivered.

Governance

Enterprise governance - the system by which organizations are

governed and controlled

IT Governance - a structure of relationships and processes to direct and

control the enterprise in order to achieve the enterprise’s goals by adding
value while balancing risk versus return over IT and its processes.
Basically, the way IT is governed and controlled.

32
The Business of IT.
Delivered.

16
Deming Cycle

The Deming Cycle (Deming wheel of a continuous improvement

process )is usually used in structured problem-solving and
continuous improvement processes. COBIT uses the plan-do-
check-act cycle (the components of the Deming cycle). Both the
information need (corporate governance) and the information offer
(IT governance) have to be planned with measurable and
constructive indicators (plan). The information and, possibly,
information systems have to be implemented, delivered and used
(do). The outcome of the information delivered and used is
measured against the indicators defined in the planning phase
(check). Deviation is investigated and corrective action is taken
(act).

33
The Business of IT.
Delivered.

COBIT Top Down Approach

COBIT was developed using a top down approach:

Plan and Organize (PO)

4 Acquire and Implement (AI)
Deliver and Support (DS)
Monitor and Evaluate (M)

34

318

34
The Business of IT.
Delivered.

17
COBIT Domains and Processes

35
The Business of IT.
Delivered.

COBIT Cube

36
The Business of IT.
Delivered.

18
 COBIT Process Definition Example (change management)

managing changes
satisfies the business requirement
to minimize the likelihood of disruption, unauthorized alterations and errors

is enabled by
a management system which provides for the analysis, implementation and follow-up of all
changes requested and made to the existing IT infrastructure

and takes into consideration

• identification of changes
• categorization, prioritization and emergency procedures
• impact assessment
• change authorization
• release management
• software distribution
• use of automated tools
• configuration management
• business process re-design

37
The Business of IT.
Delivered.

COBIT Detailed Control Objectives Example

6 MANAGE CHANGES

6.1 Change Request Initiation and Control The change process should ensure that whenever
system changes are implemented, the associated T management should ensure that all
requests documentation and procedures are updated for changes, system maintenance and
supplier accordingly. maintenance are standardized and are subject to formal change
management procedures. Changes

6.2 Impact Assessment avoid risks of unauthorized access to automated systems.

A procedure should be in place to ensure that all requests for change are assessed in a
structured

6.3 Control of Changes ensuring sign-off, packaging, regression testing, handover, etc.
IT management should ensure that change management and software control and distribution

6.4 Emergency Changes

IT management should establish parameters defining emergency changes and procedures to
control these changes when they circumvent the normal process of technical, operational and
management assessment prior to implementation. The emergency changes should be
recorded and authorized by IT management prior to implementation.

38
The Business of IT.
Delivered.

19
COBIT Process Coverage

39
The Business of IT.
Delivered.

Guidance Classification

COSO - Committee of Sponsoring Organizations of the

Treadway Commission

TickIT – British Standards Institute (BSI) software

quality management accreditation

NIST – US Government Security guidance (National

Institute of Standards and Technology)

15408, 13335, 17799 – ISO security

IT process coverage (horizontal)

narrow broad
40
The Business of IT.
Delivered.

20
ITIL and COBIT Similarities

Business orientation

High level (“helicopter view”)

Independent of organizational structures, architectures or technologies

41
The Business of IT.
Delivered.

ITIL and COBIT Differences

COBIT includes a discussion of quality

COBIT includes a discussion of process maturity

ITIL has a broad base of adopting organizations with lessons learned

ITIL has an organization certification schema that will (most likely)

become an ISO component in late 2005 or early 2006

42
The Business of IT.
Delivered.

21
ITIL and COBIT Interrelationships (real-world)

Use ITIL for high level considerations

Use COBIT to provide details

Use COBIT to “plug holes” and “fill in the gaps”

43
The Business of IT.
Delivered.

22