Booyaaa!! COBIT User Guide for Service Managers now available

The loooong awaited COBIT User Guide for Service Managers is now available. As an ISACA member I just downloaded my free copy (imagine itSMF members downloading free copies of core or complementary ITIL books - ow! my brain hurts) . The rest of you rabble can buy it (ebook here). I reviewed this book so I have some insight into what its impact will be. I believe this book rounds out COBIT as a concise body of ITSM knowledge that presents a credible alternative to ITIL. Not as deep in the detail, certainly not as wordy, but broader, more complete, more structured, systematic and consistent, not (yet) as mercenary and captive of vendors, and cheaper (using downloads). Don't ask me to pick between COBIT and USMBOK (yet), there are pros and cons of both. But I'm using them in preference over ITIL any time a client hasn't drunk the KoolAid.

Take a look at my favourite: COBIT Control Practices. Add to it the IT Assurance Guide for assessment, the IT Governance Implementation Guide for business governance, Val IT for measurement, and now the COBIT User's Guide for Service Managers, plus of course the base COBIT 4.1 framework which is free to the world. Put them all together and you have a hefty BOK on the "how" that I think easily rivals ITIL. Join ISACA and you can download the lot for free or buy the books at a discount.

Sure one might still refer to ITIL for more detail on some practice, just as one can look to a number of other (cheaper) sources to round out how to actually do something. But I think COBIT offers a better framework for ITSM, and provides all that an experienced person needs to check that all the "i"s are dotted and "t"s crossed. (So does USMBOK but as I say that's another discussion).

All we need now is an equivalent structure of professional certifications and a product endorsement scheme. Come on ISACA: Certified Service Manager please.



To add to the Skeptic's support of ISACA there is, for those of you who don't know, a whole bunch of valuable downloads available to members. The additional $50 subscription to MyCOBIT is a must in my opinion, giving you access to the Control Practices.

There is a lot more to COBIT than the glib view of so many self declared experts that COBIT is about the "What" and ITIL is about the "How". Like the Skeptic I use COBIT rather than ITIL as my primary framework when the option is open to me

James Finister
Wolston Limited


My understanding is that COBIT is about IT governance whereas ITIL is more a framwork for IT best practices. At least that is what Pink Elephant says.

Control is a force, it gets things done


The audit view of the world isn't a bolt on extra. You don't do things just because the auditors tell you to, you do things because the audit requirements make you more effective in the long run. Audit simply tells you whether or not you are doing the required things. To put it another way an effective internal audit team is all about promoting best practices. We, with my audit hat on for a moment, talk about controls, but in a positive sense. In the words of Lawrence Sawyer, the father of modern internal auditing "Control is a force; It gets things done."

Trust me on this one, using COBIT helps you get things done.

COBIT is chock full of best practices that if followed lead to a more effective IT service. IMHO ITIL v3 would have been greatly enhanced if it had been explicitly aligned with COBIT. If nothing else I find COBIT far less ambiguous than ITIL. The COBIT Service Management book highlighted some of that ambiguity for me with the mapping of COBIT on to the ITIL roles of Product Manager, Service Manager and BRM.

Governance is a wider issue, and I would recommend the ISO standard for IT Governance ISO 38500. I've found it a great way of engaging with C levels.

Don't trust any pronouncments about what COBIT does and doesn't do from experts unless they've read the Control Practices for themselves.


read the books


never mind what anyone says, instead of repeating received wisdom I suggest you sign up for ISACA and read the books.

The Control Practices detail for each of the 34 COBIT processes, for each Control Objective within that process: what are the goals, objectives, value drivers, risik drivers, and practices required to achieve it.

let's take an example that everyone here can relate to:
DS8 Manage Service Desk and Incidents
DS8.1 Service Desk

Establish a service desk function, which is the user interface with IT, to register, communicate, dispatch and analyse all calls, reported incidents, service requests and information demands. There should be monitoring and escalation procedures based on agreed-upon service levels relative to the appropriate SLA that allow classification and prioritisation of any reported issue as an incident, service request or information request. Measure end users’ satisfaction with the quality of the service desk and IT services.

Control Practices
1. Establish a service desk as a single, initial point of contact for the reporting, monitoring, escalation and resolution of customer requests and incidents. Develop business
requirements for the service desk, based on service definitions and SLAs, including hours of operation and expected response time to a call. Ensure that service desk
requirements include identifying staffing, tools and integration with other processes, such as change management and problem management.
2. Ensure that there are clear instructions for service desk staff when a request cannot be immediately resolved by service desk personnel. Establish time thresholds to
determine when escalation should occur based on the categorisation/prioritisation of the request or incident.
3. Implement the necessary support software and tools (e.g., incident management, knowledge management, incident escalation systems, automated call monitoring)
required for operation of the service desk and configured in accordance with SLA requirements, to facilitate automated prioritisation of incidents and rapid resolution.
4. Advise customers of the existence of the service desk and the standards of service they can expect. Obtain user feedback on a regular basis to ensure customer
satisfaction and confirm the effectiveness of the service desk operation.
5. Using the service desk software, create service desk performance reports to enable performance monitoring and continuous improvement of the service desk.

Can't say fairer than that.

The Assurance Guide does, yes, have a few pages on auditing. Then once again for each objective of each of the processes, it details each of the tests of that objective that an auditor would make, which equally serve as a checklist that you are covering off that objective. Same example:

Enquire whether and confirm that an IT service desk exists.
• Enquire whether and confirm that analysis has been performed to determine the service desk model, staffing, tools and integration with other processes.
• Confirm that the hours of operation and expected response time to a call meet business requirements.
• Enquire whether and confirm that instructions exist for the handling of a query that cannot be immediately resolved by service desk staff. Queries should have priority
levels that determine the desired resolution time and escalation procedures.
• Ask relevant personnel about whether tools for the service desk are implemented in accordance with service definitions and SLA requirements.
• Enquire about the existence of standards of service and communication of the standards with customers.

And I haven't quoted the value and risk drivers, which are the value statement for each objective. It is concise, bullet pointed. it lacks detail of the implementation but it has the high level of the implementation alright. It also lacks role descriptions. So the rank beginner needs more. But the rank beginner shouldn't be going it alone anyway - they should be hiring in expertise.

How do you get to best practice without controls?

With respect, the journey to the promised land of best practice requires a combination of things...

Many may have noticed that ITIL no longer professes to offer 'best practice'. The pudding is in the form of the removal of the phrase (slogan) from the hardcopy covers. IMHO its reverting to being a 'framework', into which best practices can be placed, is a sensible strategy (or design).

Control objectives (measures, rules, policies and governance to others) are vital to establish and sustain a better set of practices. What both are hinting at is an operational (service model) that can be universally applied. COBIT will likely get their sooner given the impetus behind governance (fundamental in an economic downturn). ITIL V3 has begun that journey with four lumpy stages to a service lifecycle, but it continues to ignore the transaction side of the house, and has all but dissed both the key realms of applications and systems development.

Ask yourself - what MUST I have and what can I do without when comparing COBIT, ITIL and other candidates. Also ask yourself if you have placed your customer at the center of your universe, or a framework. If the former, good - then make sure you understand how each framework helps you - help your customer achieve their desired results - better, and cheaper.... old stuff this but...

Whether the practices, policies, procedures and know-how used makes a difference for you and your customers is the measure of a 'best practice'.

Syndicate content