ITIL-COBIT mapping shows even less coverage by ITIL
Along the way, I've somehow never got around to discussing a very important paper: Aligning COBIT® 4.1, ITIL® V3 and ISO/IEC 27002 for Business Benefit. This is one of the official OGC Alignment White Paper Series that do the alignment between ITIL V3 and the other frameworks, that ITIL V3 should have done in the first place.
Back in 2008 I told you about a similar earlier white paper published by ISACA and available free only to ISACA members: "COBIT Mapping: Mapping of ITIL V3 With COBIT 4.1".
More recently we had another white paper, this time issued jointly by ISACA (owners of COBIT) and OGC (owners of ITIL). This paper, the excitingly titled “Aligning CobiT® 4.1, ITIL® V3 and ISO/IEC 27002 for Business Benefit” is available for public download. It does not map the processes so starkly – it doesn’t give ratings of coverage. But if you wade through the detail of the mappings you can make your own assessment based on what proportion of COBIT controls for which it shows equivalent ITIL coverage. You may conclude as I did that it seems to rate ITIL more highly against two processes (PO1 and DS2) than the original paper did, and seems to make an even lower assessment than the first paper on five others (PO9, AI2, AI7 DS5, DS10), ending up with indicating that ITIL has full coverage for 8 of the 34 COBIT processes [a different 8 to the original ISACA white paper].
Remember this is not somebody trying to undermine ITIL – it is a paper co-written by the ITIL Refresh Chief Editor and reviewed by the ITIL Chief Architect. It says ITIL covers less than half of the processes that COBIT does.
ITIL covers less than half of COBIT's range and only completely covers about a quarter of the practices. Maybe you and I know that, but there are an awful lot of people out there still thinking ITIL is a comprehensive framework for IT operations. Heck, measured using COBIT, ITIL isn't even comprehensive for ITSM. And I'm not saying COBIT is 100%.
The white paper diplomatically tiptoes around a direct benchmarking of the two frameworks against each other, unlike the earlier white paper published only by ISACA which bravely made the measurement and graphically depicted the holes. it doesn't even offer the mechanism for us to do it for ourselves. It just lines up selections of statements from each framework. Some of the choices are pure B.S. to try to offer something...anything to plug a hole, which must represent cynicism because none of the authors can claim ignorance. Nevertheless I took them at their word and rated whether there was a complete(-ish), partial or no match for each COBIT practice in order to come to the conclusions above.
My result is based on some subjective decisions and on the extremely debatable proposition that none of the paper's correlations should be challenged. So my detailed results are not important here: if this is of interest to you, I think you should use this white paper to make your own calls and come up with your own bake-off between the two. If you do, tell us your result OK?
Made in New Zealand 
Comments
Hmm disagreeing with some of
Hmm disagreeing with some of my favourite contributors - this should be fun.
1) Not only does the world want the answer in one package, they deserve it. Most sites don't have the money to employ expensive consultants to hand-craft a framework for them drawing from five others. The world is ripe for one ring to rule them all. heck, I spend all day immersed in this stuff and I'm suffering from framework overload. How is it for the geek-in-the-streeet?
2) the COBIT processes only partially covered by ITIL V3 are: ...
• PO1 Define a Strategic IT Plan
• PO4 Define the IT Processes, Organisation and Relationships
• PO5 Manage the IT Investment
• PO8 Manage Quality
• PO9 Assess and Manage IT Risks
• AI1 Identify Automated Solutions
• AI2 Acquire and Maintain Application Software
• AI3 Acquire and Maintain Technology Infrastructure
• AI4 Enable Operation and Use
• AI5 Procure IT Resources
• DS2 Manage Third-party Services
• DS4 Ensure Continuous Service
• DS5 Ensure Systems Security
• DS11 Manage Data
• DS12 Manage the Physical Environment
• DS13 Manage Operations
Nothing important in that lot is there? You can see here the ones it totally omits. There ARE big important holes in ITIL that should not be there for what it is touted for. If you want to run a service desk, ITIL is great. If you want to do ITSM it is dodgy. If you want to run IT it sucks.
3) I get frustrated by those who say COBIT does not provide the "how". Sure it isn't a rambling narrative like ITIL and sure it does not provide enough guidance unless you have prior knowledge, but (a) it provides a lot more than it is given credit for - I have a document I distilled from COBIT on service desks that I show to folk and it blows them away how much is in there and (b) I think all that will change with COBIT 5 - my reading of the tealeaves is that COBIT 5 is about to be the much sought "open ITIL"
Love COBIT & like ITIL; or
Love COBIT & like ITIL; or like COBIT & love ITIL.
The point is, you ain't going to get a COBIL or an ITBIT - unless you write it yourself.
Get over it. Be grateful that they both exist - and use your brain :)
COBIL
I really do think COBIT5 could be COBIL. Se that other post:
...or today's article on ITSMWatch
Specialization
First a few comments on the numbers. Triple is not bad but in the meantime (2002-2008) the aggregate number of people who have taken an ITIL exam by EXIN has grown by a factor of 12 and the people taking exams annually has grown by a factor of 14. ISO 20000 certifications double in 12 months, in three years the number has grown by factor of 9.
In the survey only about 10% strongly agreed to act as volunteers, in reality the real number is much less. It looks like 88% of the members agree that CobiT is a bit thin on how-to.
One ring to rule them all may sound nice but is actually as bad idea as in the original. Modern society runs on specialization. Only way we can manage in the complex world is by being specialized. Everybody who reads this is a prime example of niche specialization. Running a road building company is quite different from actual road building. Anybody who wants to build a road in Finland needs solid guidance how to handle ground frost, otherwise the road will be a mess come next summer. On the other hand this knowledge is useless unless the company can handle financial matters so that there is money available, labor issues, sub-contractor control etc.
So if CobiT 5 materializes as solid one meter thick book (silver bullet?), who reads it? A lot of the area covered by CobiT has already sound guidance in other standards and frameworks as Support Thought wrote. The CobiT 5 authors cannot copy existing materials so they would have to make it different. That would not be a good idea.
It would be much better if Isaca and OGC would stick to their strengths and would cooperate to create an aligned Cobit 5 - ITIL 4 combination.
Aale
I think the marketplace would be delighted
A combination is not an impossibility. Let's watch developments over the next year or two. After all, ISACA and itSMF recently signed a Memorandum Of Understanding.
A 100% ITIL-compatible COBIT is not impossible either. The COBIT authors can indeed copy ITIL all they want, so long as they don't copy the wording. ITIL is by definition common practice drawn from industry, so the concepts of ITIL are not defensible under copyright, only the exact wording is.
Most likely of all, ISACA will simply apply for an OGC licence to reuse ITIL content. It would be in the best interests of both parties. ISACA already have permission to reuse ITIL content, for example in the excellent COBIT User Guide for Service Managers.
I read the market demand differently Aale. Everyone who objects to the one-ring concept are paid consultants. I think the marketplace would be delighted by a one-stop-shop.
ISO has more than one standard for a reason.
Okay, tea leaves aside. ISO has a number of standards for specific or specialized areas for a reason.
One standard to fit everything may end up being a tad large.
CobiT and ITIL are different. Different parents; (COSO vs OGC,) Different goals; (CobiT provides tangible proof and results, i.e control objectives and practices. ITIL is almost a concept and philosophy; and different audience. (Audit vs IT, or if you prefer ISACA and ITSMF)
I agree about Cobit having great content and being useful for improving and sustaining your IT/IS environments. But it takes a great deal of time (years?) to get a depth of knowledge to know what is in there. Cobit needs a GUI interface to assist in its navigation. My preference is to use both. I find that CobiT gives me far more traction in the boardroom, and with senior management. ITIL resonates in the operational side of the house. (As an aside, I like Zachman for brainstorming work flow.) Horses for Courses.
In the audit world, CobiT is already established as the standard to use. It is written so that business (auditors and accountants) people can understand what the heck is going on in IT. The controls indicate what outputs to look for from a People, Process and Technology perspective. That being said, I think that it may be a moot point. CobiT came out of the boardrooms. It's specific intent was to assess that the necessary controls were in place to guarantee the necessary IS and IT resources were under control. Senior Management, at some point, may demand to see the CobiT alignment in ITSM.
What CobiT needs is a marketing push; I don't think it has tipped yet into common awareness or practice within IS and IT.
ITIL still shows up in RFP's as a key requirement. In my experience, CobiT does not...Yet....When that happens, ITIL may be taking a knife to a gun fight.
Glenn, I totally agree with
Glenn, I totally agree with you on this. I use ITIL as the framework and COBIT/ISO 20000 to measure how the implementation and execution are working in my community. Each has a set of different objectives and trying to marry these into one shouldn't be done. I like one stop shopping but with variety and specialty at my shop. I actually find reading COBIT and ITIL helps to better understand what should be in a process.
We are losing the concept that ITIL is a framework not a standard. As a framework, it describes as a best/good practice: here's what needs to be considered and the organization works to determine how can it best be implemented in an organization to work effectively.
ITIL is redundant
"As a framework, [ITIL] describes as a best/good practice: here's what needs to be considered and the organization works to determine how can it best be implemented" Sounds exactly like COBIT to me - certainly that is exactly how I use COBIT, as reference framework. I thought everyone says COBIT is the "what" and ITIL is the "how"? On your description I'd say ITIL is redundant :)
so if I'm dipping my toes into COBIT
For my sins I've done all the ITIL training & certification you can easily do (V3 Expert via V2 Manager).
My work context.
I will be aiming to stand up a centralised CSI function in my workplace that will cover services, processes and work very closely with our HR Dept and of course our customers and the punters within our company where I need to. We will be an ICT Infrastructure shared services shop supporting circa 60000 users. Our transformation is pretty fixated on ITIL v3, but as you have suggested elsewhere, "using ITIL to justify and measure ITIL" is a bit of a wank. So COBIT sounds more practical for measuring, controlling and deciding. I've got IT Financial Mgt licked due to loads of beanie experience, TCO consulting, selling outsourcing deals etc.
I understand that "quality" programs can take years to become part of the culture, business planning and performance mgt cycles can be as long as a year and checked as often as people can be bothered.
My serious question: If you were in my shoes would you spend a few days in a COBIT 4.1 course getting some of the basics (and a piece of paper), or would you wait until COBIT5 comes along? Honestly, I'm actually AOK to stay broad and shallow for the medium-term so maybe I'm answering my own question.
Look forward to people's thoughts.
ISACA
As well as downloading the freely available COBIT material I would highly recommend joining ISACA to get access to the cornucopia of collateral they supply to members.
Depending on where you judge the current maturity of IT services to be I would also highly recommend getting at least part of the organisation ISO20000 certified to establish a relatively trustworthy baseline. My cynical/skeptical view is trhat many IT departments who are getting fixated on v3 have yet to get to grips with the basics of v2
You might also want to look at ISO 38500.
Take from all of them what they have to offer, and don't get hung up on whether this bit or that is compatible - in the real world they all are, and all reinforce the same basic messages.
where does it end?
Then there's USMBOK, NABSM, BisL, ASL, CMMI-SVC, TIPA, Val IT, Risk IT, Visible Ops... They're all useful but where does it end? How much IP does a guy like Tom have to wade through to "take from all of them"? It's Ok for process geeks like us but for the real world it is utterly ridiculous. I'm looking to COBIT5 to pull at least most of it together for us.
Incidentally the ISO20000 part 5 Exemplar Implementation Plan looks great! I'm reading through it now. Nice work James and co. And thanks Ralph for recommending it.
Arrrgh, my brain hurts...
Arrrgh, my brain hurts...
Embarrassing confession no 212....
I still haven't managed to download my copy of Pt 5 from the committee member website, thanks for reminding me.
As for "where doe it all end", well who knows? For most organisations the major challenge is still getting to a safe and stable place, not refining process documentation to the nth degree. There are certainly times when I think ISACA has over egged the pudding.
at least it is one pudding
perhaps COBIT is overdone but compared to the total body of ISO20000 I don't think so. Even if the pudding is over-egged, at least it is one pudding. With COBIT I can find out what I need to know about to perform all IT. If I need more on the subject I can refer somewhere else, like ITIL or any of the list I mentioned above, or the growing body of complementary COBIT books. And it covers - or at least attempts to cover - IT, not just ITSM.
IT vs. ITSM
Which brings us to one of my favorite topics:
... what is the difference between "IT" and "ITSM"?
In a blue book, would any two readers of this blog respond similarly?
Charles T. Betz
http://www.erp4it.com
have a read over breakfast
COBIT5 is a way off yet. Download COBIT 4.1 for free, have a read over breakfast for a week, then decide if you need a course
ITIL would be too big if it were as big as COBIT?
Glen, I'm confused. ITIL would be too big if it were as big as COBIT? So COBIT is too big then? But COBIT is useful as it is?
And COBIT couldn't expand to cover practical advice because that's not what it is for? That argument ignores the third - dark - horse in this race, ISO20000, which has a guidance section and other steadily growing supporting content. If a standard can expand into ITIL's domain, why can't an assessment framework? (We'll have to break ISO20000 up too I guess as it is obviously too big and unspecialised...)
The majority of ISACA members are not auditors any more. I'm a member. Free your mind: COBIT can be anything we make it.
Confusing state of mind
Hang on, I did not say ITIL would be too big. I said one standard for everything would be a tad large. An aside, I keep getting Tolkien in my head, with apologies..."One framework to rule the all and in the darkness bind them."
Shouldn't a framework leverage existing work? ISO and Cobit point to other elements and standards where possible. ITIL has always frustrated me because it "Borrows" other approaches with limited accreditation, or reference.
Is ITIL too big?
ITIL V1, V2 and now V3...seem to suffer the same fate. The user community take up the pieces that add value or relevance; ignore the rest. V2 has amazing resources outside of Service Support and Service Delivery; i.e Planning to Implement Service Management is a how to book, and ICT Operational Management explores the concept of functions quite well and the Business Perspective volume(s) are strategy 101, in plain english. Lastly, V1's Understanding and Improving and ITIL In Small Units are great reads, but are not used. Yet the examinations are focused on the operational and tactical processes, where's the rest?
The difference between ITIL and Cobit from a useability point of view is the structured approach in CobiT. However, Cobit in its present state is too big for a casual user. Thus the push for practical advice and guidance on how / what to use. Right now it is not in bite sized pieces, very easy to choke on the amount of information available.
IS02000 as a dark horse is interesting... Never see it mentioned in RFP's over here. Seems to be running a distant third. Which is upsetting, because I like the approach....But again the focus of ISO20000 is narrower than the whole ITIL library. It does not try to be all things to all people. ISO20000 works because it is focused and specialised. There are other ISO standards to use for elements out of scope. (I.E. ISO/IEC 12207 Software Life Cycle Processes, ISO 27001 Security)
The article in ITSMWatch about Cobit v5, with attached link to the presentation, makes the future look exciting. Interesting to see if how the marriage between audit and practitioner perspectives will work out. I have an open and free mind, but CobiT will be what the editors at ISACA let us make it.
Simplified, Use ITIL to Do IT, CobiT to Control and Improve IT, ISO20000 to Prove IT to the rest of the world.
You're so right about the
You're so right about the market adopting only chunks of ITIL, and i think you touch on why: the Foundations never taught it.
One more thought: COBIT may not displace ITIL if it does not go as deep as ITIL, just deeper than it does now. But even then I think if there is enough meet on the bones COBIT (or ISO20000) will become the go-to framework and ITIL will just be supplementary explanation. I'd like to see that.
I use COBIT and ISO20000 now, for current state assessment benchmarks and as formal support for proposed desired states. They are reference frameworks for me: using them is an activity performed within service improvement consulting, not for audit.
Violent Agreement Then
ITIL provides a pathway. Cobit a means to evaluate where you are and tangible outputs to pinpoint where you want to be.
I use CobiT for improvements and as a consulting tool. It makes it easy to show the business (and audit) what is missing.
Almost
Almost. I think that is gonna change and COBIT is going to eat ITIL's lunch :D
If it was ever ITIL vs. CobiT
"What CobiT needs is a marketing push; I don't think it has tipped yet into common awareness or practice within IS and IT.
ITIL still shows up in RFP's as a key requirement. In my experience, CobiT does not...Yet....When that happens, ITIL may be taking a knife to a gun fight."
This back office brawl was lost by IT before it started. If it ever gets to the point of ITIL/MOF vs. COBIT, the number crunchers win. Why? They have a lot more credibility in the board room than IT. You can probably cite exceptions to this, but my personal experience is that IT is a cost center to be regulated by accounting or otherwise kept in check by management. We can talk about “business as a customer”, “technology enabled business”, and other service-oriented fronts for IT, but they rarely result in a culture shift that puts IT proposals on an even footing.
Using one's brain
Using one's brain is much out of fashion. if it doesn't fit on a blog post (or in 140 char) it is too complicated.
I was saying to someone just today that the heavy traffic to this blog is about getting certified, buying software tools, and free samples of anything.
No-one ever went broke overestimating the appetite for out-of-the-box solutions.
I'm also much alarmed by the number of people who take The ITIL Wizard seriously.
Let's Keep Things In Perspective - The Answer Isn't 42!
I really appreciate what Aale and Glen have said in response to your initial posting, Skep.
Being provocative can be fun ("what's better - ITIL or COBIT?"), but Aale is right on the money when he said these two BOKs were developed for different audiences. There's value in both - let's not forget that. Comparing one against the other sounds like we're striving for a simply one-stop solution, but we're always cautioning each other that there are no silver bullets (is it "silver bullet" or "magic bullet"???)
It's interesting to note that although COBIT describes a much wider scope than ITIL, despite all the whining over the years about ITIL falling short with the "how tos" Aale correctly points out that ITIL does a better job of this than COBIT. Sounds like COBIT = more width, less depth; while ITIL = less width, more depth!?
Clearly Glen is also hitting the spot when he describes the "killer combination". Refer to both frameworks, why don't you?
As you well know, Skep, Douglas Adams tells us that the ultimate answer to everything is 42! But he was only kidding - right? The magic/silver bullet is a nice idea, but oh so elusive. Although, hold on, Adams sold a ton of books with this idea. Hmmm.
Agreed - with caveats.
I Couldn't agree more with these posts.
I would however mention one thing, David says that CobIT is the bredth whilst ITIL is the Depth, and if this is so I think ITIL should be better at providing the giudance and detail that depth should contain.
I would not wish for an expanded ITIL to compete with the bredth of Cobit, but rather a higher quality depth in the existing ITIL framework.
I am not really a framework wonk but I suspect that under the Cobit Bredth are many other frameworks (peers to ITIL) that complete the picture, for instance in HR and Finance that ITIL skims on (and probably shouldn't).
Support Thought
The holes are not the problem
CobiT tries to cover everything as it is an IT auditors tool. ITIL tries to give guidance for practioners of IT Service managements. Two different needs and two different audiences. Your recent Visitor represents the correct audience for ITIL. I meet these people all the time. Luckily for me they are not that vocal or aggressive but the fact is that there are a lot of IT practitioners who are either unaware of ITIL processes or resent those processes. It will take some time before proper change management is truly a common practice.
While CobiT covers a wide field, it does not give much guidance. I like CobiT approach and content but I doubt if anybody could build a working Service Desk based on CobiT alone. Ideally CobiT, ISO 20000 and ITIL V4 should be based on the same structure so that CobiT would define good practices, ISO 20000 would offer certification for the ITSM domain and ITIL would explain how the ISO 20000 certification can be achieved efficiently. ITIL should not stray beyond ISO 20000 requirements but it should cover them.
Aale
The holes are not the problem
I fully agree with Aale and have been working accordingly for some time already. I have been using CobIT for "what" and ITIL for "how" and have used ISO 20000 as a basis for assesments and it all seems to be working fine.
However, this whole discussion about different frameworks is very academic and draws the attention away from the real life problems of the IT departments. The customers don't want to hire a consultant to implement frameworks but to make their service delivery work more efficiently. I think it would be much more beneficial for us to start sharing real life tips and tricks of how to make these frameworks work. This, of course, unless we all are competing consultants.
CobiT and ITIL
Together they make a killer combination.
I have always said, ITIL is a compass, you use it to navigate the landscape. Make informed choice and improvements.
CobiT on the other hand is more like a tool for analysis of IT effectiveness. I use it to verify what is in place, then look for what may be missing. In simple terms, I use CobiT's Control Objectives and Control Practices to verify the level of capability and identify what is required to move IT forward. CobiT provides a template to validate your opinions. Moving from assumption to fact. Itil on the other hand, provides a concept and approach to allow you to link disparate approaches.
My favorite quote from a client..."ITIL provides the language and approach to etch through the titanium walls of our siloes." Once the teams start to communicate and share, the systems start to merge into services. Make no mistake considerable effort is required, but the changes are tangible. CobiT provides tangible outputs and controls to look for, evaluate and improve.
One last point for consideration. IMO...ITIL was created by and is written by IT for IT, for example many of the concepts in Service Strategy are better explained in Business Management books (e.g. the 12 hour MBA) but in the strategy book we get an IT flavour. This flavour makes it more palatable to an IT audience. CobiT came out of the business and governments need for a ways and means to evaluate the capability (credibility?) and control of the IT underpinning the business. CobiT is written with a focus on the business perspective of IT; it provides a handbook for IT Auditors, Managers and Professionals to assess and prove the IT capability.