Why COBIT wins in a showdown with ITIL

I like ITIL. I use it quite a bit. But it puzzles me why ITIL is the default source of bestgood, generally accepted practice for IT processespractices. Often people talk as if it is the only source.

My default source of IT good practice is COBIT. It wins over ITIL, hands down.As a consultant, COBIT is my first-choice body of knowledge for my engagements. I go to it first to assess, to frame, to define, to justify, to audit. I turn to ITIL second, when I need more detail, or when I need the authority of the holy of holies to justify what I suggest. I presented this at the Pink Elephant 2012 conference, in a session called Showdown of the Methodologies.


For me it is a no-brainer to reach for COBIT first and most often:
ITIl vs COBIT perspectives

  1. Purpose. ITIL is an ITSM framework. COBIT is an IT practice (and now governance) framework. ITSM has grown to mean "all of IT management seen from a service perspective" but that service slant or bias remains. COBIT is intended to be a comprehensive description of all IT practices. It may not do that perfectly but it comes much closer than ITIL because it doesn't constrain itself to ITSM. Which leads us to...
  2. Coverage. According to “Aligning CobiT® 4.1, ITIL® V3 and ISO/IEC 27002 for Business Benefit” which was issued jointly by ISACA and OGC (co-written by the ITIL Refresh Chief Editor and reviewed by the ITIL Chief Architect), ITIL covers less than half of COBIT's range and only completely covers about a quarter of the practices (8 of the 34 COBIT processes) ...and that's COBIT 4.1. I bet COBIT 5 opens the gap even further.
  3. Rigour. ITIL is the Hitchhikers' Guide, COBIT is the Encyclopaedia . ITIL's narrative style (no really, compared to other frameworks it is downright chatty) may appeal, but as a foundation for my consulting activities the rigour and structure of COBIT is more dependable and useful. COBIT is systematically numbered; and every entity has a consistent structure. I actually find the formal COBIT structure much easier to use than the ITIL rambling: I find answers quicker, I get clearer concepts with less confusion, and I frame things readily.
  4. Benchmark. You can assess against COBIT; it has clearly defined requirements. That was one of COBIT's early drivers for adoption: auditing IT for SOx compliance. COBIT auditors/assessors are certified (CISA). To assess against ITIL you need to go to proprietary benchmarks (including TIPA, not to be confused with my Tipu). ISO20000 compliance is not the same thing as ITIL "compliance".
  5. Credibility. COBIT is written by a team, not a couple of authors per book. The same team for all the books. And then the list of all COBIT contributors and reviewers runs to pages. It is owned and published by a not-for-profit membership body set up and run by auditors, process geeks and security wonks. Its governance (and discretion) rocks. Unfortunately ISACA is American-centred but you can't have everything.


  6. Accessibility. COBIT is low cost (see below) compared to ITIL. There is a copyright and trademark waiver for use by consultants and vendors. You can subscribe to an interactive personalised online version (only COBIT 4.1 for now).
  7. Novelty. COBIT is of course not "new" any more than ITIL was when the world "discovered" it a decade ago. But COBIT has yet to be a fad, and the world is ready for a new fad as the realities of ITIL sink in. COBIT has none of the negative baggage accruing on ITIL. I think COBIT is IT's next silver bullet.
  8. Governance. COBIT will be embraced because the realisation is dawning that Cloud and SaaS and BYOD are business decisions not IT decisions, and that therefore it is high time the organisation as a whole stepped up to its responsibilities for IT instead of abdicating and blaming IT. Organisations have failed their IT like a bad parent, and the road to redemption is via better enterprise-level governance of IT, and that's what COBIT 5 is all about. ITIL V3 Service Strategy actually talks about governance quite a lot but nobody has read it. COBIT has the governance high ground.

Join ISACA to get COBIT

Yes the COBIT core is free... well close to it. ISACA want your email registration to get the main COBIT 5 overview but they don't want money.

They want your ISACA membership fee (about $150 membership - varies by region) to get the remaining books in digital format for free, but personally I think that is a good deal, especially allowing for all the other benefits of membership. I pay it. I buy the hardcopy versions too at the heavily discounted members' price, but I'm like that: I still prefer paper to bytes.

If you are not the joining kind, you can still buy the books, digital and hardcopy, but you will spend at least as much as the membership fee without all the other benefits of membership. I get more value from ISACA than I do from itSMF. If you are going to actually use COBIT, at a minimum you need COBIT 5 (the overview and framework) and COBIT 5: Enabling Process (the details of all the processes) and you could also get COBIT 5: Implementation (putting in place governance and management of IT). To buy all three will cost you

Member Non-Member
PDF $0 $225
Print $95 $275

It is worth noting that what they give away for free in COBIT 5 is less than they gave away in COBIT 4.1. The free core in COBIT 4.1 is the equivalent of the COBIT 5: Enabling Process book and then some. Still, $250-odd buys you a lot of COBIT 5.

If all you want is overall awareness, then you don't even need to register let alone pay. You can download a few documents without registration that will give you the picture:

ITIL has some advantages

Where does ITIL win over COBIT?

  • ITIL is much more a source of ideas and options, information, and explanation on why we do things. There is much more meat on ITIL.
  • ITIL has a much larger user base, higher brand recognition, and more momentum.
  • ITIL has an extensive certification scheme. I think too extensive, but some appreciate it.
  • I suppose I must count the ITIL software compliance schemes, either the British Government one or PinkVerify, though I think they are both pretty pointless, but once again they give some people comfort.

I don't count the prISM accreditation scheme as an advantage for ITIL. First I think it is crazy over-the-top. Second, ISACA provides accreditation specific to COBIT. Third, the IT community accredits the broader IT space that COBIT addresses (e.g. in New Zealand we have IT Certified Professional accreditation from the Computer Society, and in the UK they have similar CITP)

Everyone in IT should have COBIT

I would encourage everyone in IT to have a copy of COBIT 5 at hand. I use COBIT:

  • to frame: a structure for framing any IT management thinking
  • to assess or audit: a checklist for any form of review: process capability assessment, current state review, document audit, process audit...
  • to define:
    • descriptions of practices and their deliverables
    • an input to role descriptions, especially the RACI responsibility matrices
    • management and governance mechanisms

    (fleshed out when necessary with other sources such as ITIL)

  • to justify: an authorative reference for IT "best practice"


Both frameworks propagate the same failure points

My first impression of the comparison and the information I've been able to review is that COPBIT still shares the same key failure points that caused me to label ITIL 2011 as Inside-Out. One day the framework evangelists will have the epiphany I see happening day after day in client organizations that the job of IT today is to engage its customers immediately and constantly and to think and act with the customer's interests in mind at the outset - thats what is termed thinking outside-ion.

The danger of both of these framework is that in the wrong hands they will encourage and support a process/service/maturity approach that fails the customer because its inside-out. As others have indicated, comparing these against each other is inte4resting but to what purpose. What would help would be for the industry to agree on a set of overriding principles for service management that could be used to assess these and any other frameworks based upon the imagined role of IT today in the 'age of the customer'.

COBIT vs ITIL perspective

I'm presenting on this to my local ISACA chapter next week and came up with this graphic to sum up their different perspectives:
ITIl vs COBIT perspectives

Same topic, even same scope, but ITIL is skewed by its service perspective into emphasising some areas and de-emphasising others.

That's not to say COBIT 5 doesn't still have some historical biases towards security and audit - it does - but it is more objective and balanced across all of IT as a subject area

I agree, COBIT is about

I agree, COBIT is about Governance & Control, ITIL is about Service Management.
There is space for both in one organisation and ISACA enabled this by incorporating ITIL (and Val-IT) concepts in the latest version of COBIT 5.

cobit itil and more

Very interesting.... in your opinion where does ISO and CMMI lay on this diagram? Im working on real this.


I've never mapped CMMI-SVC in detail but I'm assuming it has the biases as ITIL: service-centric. ISO20000 certainly does.

That's not bad, same as it isn't for ITIL. they're there to describe ITSM. They deliver as specified. COBIT describes IT

COBIT is not alone...

A great post, Rob, and I agree with your viewpoint entirely.

However, COBIT 5 is not the only IT governance framework, there is also:

IT-CMF V1.0 June 2010. It has big players like BP, Chevron, AXA, Ernst and Young, Northrup Grumman, Microsoft, Google etc. Visit Maynooth, 15km west of Dublin on Mon 3 June 2012 to attend a free IVI Summer Summit conference. I'm attending.


or read my column about it which includes lots of links (written in 2009)



Oh good. That's what IT needs, another framework.

We did discuss CMF on this blog a while ago.

It is proprietary and big business. Once again we have a Europe vs USA showdown....

I like it...

Great blog post!

From what I have read thus far, I am very much liking the Cobit approach. It's focus, and consistent reference to the cultural and behavioural aspects involved in new implementations and change for example, makes for some good reading.

The reformed process capability model is also welcome. Although it asks more of a process in terms of attributes required to reach a given maturity level, it will hopefully be embraced by adopters as a means of further enhancing the efficiency of their processes and associated value.

I am with Claire on the "Not the only game in town" comment, but welcome Cobit 5's foundation of encouraging an enterprise-wide perspective.

I love the description of

I love the description of ITIL as 'chatty'. Great article (as usual) - both ITIL and COBIT need to remember they aren't the only game in town and keep reassessing the value they are delivering.



If COBIT gets hoisted onto the shoulders of IT and carried along like a conquering hero - as ITIL was - I don't doubt it will go to COBIT's head just as it did with ITIL.

Nearly got me

re-joining ISACA but no.

Cobit 5 has these idiotic enabling processes

AP001 manage management Needs no explanation, where is govern government?
AP002 manage strategy But IT needs no strategy, corporation has strategy, IT has architecture and plans but no strategy
AP004 manage innovation "Sadly you can no more summon up true innovation or measure it or manage it than you can do those things to art. Flogging staff to come up with innovation is like demanding they paint a masterpiece." Now who wrote this great comment ;)

And these three are not separate
AP011 Manage quality
AP012 Manage risk Risk is quality
DSS03 Manage problems Problems are risk


unpicking COBIT 5


I think we'll have as much fun unpicking COBIT 5 as we did ITIL 3.

But I still like it.

I have changed my mind several times on IT strategy. i think there is such a thing, but it has to be an integrated subset of overall strategy, not standalone.

And it is useful to distinguish between risk, problem and quality even if they flow into each other, just as it is useful to distinguish between say painting and drawing

As for innovation, yes APO04 is a bit fad-driven or buzzword-driven i feel. Much of it makes sense but equally much of it could be part of APO03 Enterprise Architecture

Syndicate content