Peter Hill Director IT Governance Network

Ken Turbitt Global Best Practice Director BMC Software

IT professionals are under considerable pressure today to comply not only with internal corporate policies but also with external mandates such as Sarbanes-Oxley Act (Sarbox) and Basel II. Many are turning to guidelines such as the IT Infrastructure Library (ITIL) and Control Objectives for Information and related Technology (COBIT) to help them manage IT based on business priorities and address IT governance issues. One question that is often asked is: Which of these two frameworks will be most effective at helping the enterprise tackle the governance challenge?

The answer is both. ITIL and COBIT are not alternate approaches. They are highly complementary methodologies that enable IT not just to support business goals, but to drive them. By deploying both frameworks, you can benefit from proven best practice IT service management (ITSM) processes that enable you to manage IT from a business perspective and drive business goals, including compliance with internal policies and external demands. In addition, you position your organization to institute clear activity and process goals based on business goals, and provide a means of measuring progress against them. Moreover, you can achieve effective IT governance and control at the process level, and enable your IT staff to demonstrate that the company meets or exceeds governmental requirements.

Combined, ITIL and COBIT let you increase the quality of business services you deliver while lowering overall costs. ITIL addresses ITSM best practices; COBIT addresses the establishment of business goals and the measurement of progress toward those goals. Following these frameworks will offer your organization the ability to provide fast, consistent, reliable technology services that increase revenue, reduce costs, and help you demonstrate compliance with regulatory requirements.

The Role of ITIL
ITIL has become a de facto standard for establishing ITSM processes. Although it covers multiple areas, its main focus is service management. ITIL provides a comprehensive, consistent, and coherent framework of best practices and related processes. Consequently, it promotes a quality approach for achieving business effectiveness and efficiency in the use of information systems. Because it helps you manage IT from a business perspective, it drives business goals, including those related to IT governance and regulatory compliance.

The Role of COBIT
COBIT is an IT-focused governance and control framework that many enterprises are adopting as the governance and control model for implementing and demonstrating effective IT governance across all areas of IT activity. COBIT complements established frameworks, such as the Software Engineering Institute's Capability Maturity Model, ISO 9000, ITIL, and ISO 17799 (standard security framework, now ISO 27001). It provides high-level, broad coverage and focuses attention on what the business requires.

A predefined sequence of generic and specific process goals guide the implementation and improvement of individual processes. Consequently, COBIT can integrate disparate practices under a single framework and link those practices to strategic business objectives. COBIT is intended to be used at the highest level of IT governance to achieve strategic objectives. It provides an overall governance framework based on a high-level process model of a generic nature that makes it applicable to most organizations. You can map processes and standards that cover specific areas in more detail, such as ITIL and ISO 27001, to the COBIT framework to create a hierarchy of guidance materials. The key COBIT 4.0 domains include plan and organize, acquire and implement, deliver and support, and monitor and evaluate.

Working Together
ITIL helps you better align IT service delivery with the needs of your enterprise. To ensure that your ITIL implementation is successful, however, you need an effective IT governance and control framework. COBIT provides that framework, offering guidelines to help you build capability and drive toward business requirements. COBIT focuses on the performance of key management practices and the monitoring of key performance indicators to ensure that the desired goals are achieved.

Although COBIT is oriented to IT processes, it addresses the organizational building blocks but not the process steps and tasks themselves. It focuses on what your enterprise needs to do, not how to do it. ITIL defines best-practice processes for ITSM and shows you how to get there. It focuses on methods and defines the processes, providing a generally accepted description of the service management processes. By leveraging both frameworks, you'll advance more rapidly toward your goal of managing IT from a business perspective.

Getting Results
Implementing ITIL and COBIT is not a trivial task . You must address the high degree of complexity in your IT infrastructure, ITIL processes, and COBIT control objectives. This complexity is due to the siloed approach IT organizations traditionally have taken to support specific business entities. The fact that IT environments are always in a state of flux adds to the complexity. In these environments, manual processes are not effective or efficient. They would depend on dedicated staff willing to maintain a reliable paper trail that can stand up to a rigorous compliance audit.

The only way to conquer this complexity is to deploy a systems-based solution that meets four key criteria. The solution must:

• Cover the full range of ITSM disciplines, and permit integration of processes across disciplines.
• Replace the traditional focus on individual servers, switches, and databases that enable online transactions with a focus on whether those transactions are occurring fast enough to meet the demands of the business.
• Have an underlying configuration management database that provides a single source of reference and control across IT disciplines to ensure that all processes are using consistent and accurate data.
• Provide out-of-the-box support for ITIL processes and COBIT control objectives to eliminate the need for time-consuming and costly customization of the software to support these frameworks.