The ITIL V3 - COBIT V4.1 mapping white paper is available and no wonder noone is saying much

The long awaited ITIL V3 - COBIT V4.1 mapping white paper is available ... for a price. This is the final paper in a long-awaited series that answer the question left unanswered by the ITIL V3 books - how does ITIL relate to the standards and frameworks around it? The answer is that ITIL is very much a subset of COBIT's more comprehensive coverage.

Those of you who read Rob Stroud's blog (quite a few if his page rank of 5 is anything to go by) picked up this news back in early August. if ISACA told me I missed it. OGC/TSO or itSMFI haven't mentioned it as far as I can tell. heck TSO haven't even told folks about the second paper everywhere yet.

This is odd because it is at least as important as the ISO20000 paper. Perhaps they hesitate to mention that it is available for download free to ISACA members and the rest of you peasants will have to pony up $25.

More likely though it is because the paper once again reiterates just how much more complete COBIT is as a framework [although ITIL has advanced since Version 2], and more rigorous, even if ITIL does have a bit more meat on the bones (not as big a difference as people think). Compare the tables on pages 10 and 18 to see how COBIT more comprehensively addresses the audience, and see the chart on page 19 that highlights the holes in ITIL.

For those of you who don't have a spare twenty-five bucks, the COBIT processes not at all covered by ITIL V3 are:

  • PO2 Define Information architecture
  • PO3 Determine Technological direction
  • PO6 Communicate management aims and direction
  • PO7 Manage IT human resources
  • PO10 Manage projects
  • DS7 Educate and train users
  • ME2 Monitor and evaluate internal control
  • ME3 Ensure compliance with external requirements
  • ME4 Provide IT governance

Nothing important in that lot is there?

And the COBIT processes only partially covered by ITIL V3 are:
...oh never mind. There are 17 - too many to list. (ITIL only scores a full coverage on 8 COBIT processes). No wonder Castle ITIL isn't making a noise about this.

If you want to see the details, buy the paper. Better still join ISACA and tap into all this good stuff. Some organisations amply return the membership fee.


A different oppinion if I may

Dear Skeptik,

I am somehow familiar with the details of both COBIT and ITIL. COBIT is a collection of control objectives - something which a group of experts tells you that you have to do in order to offer sufficient assurance to the stakeholders that your IT does a good job. Maybe improper said, is like the dash bord of my car, telling me if all runs ok without knowing all the details of operation of a Diesel engine. COBIT Control Practices (free for members for download) is trying to give guidance in how to do it, this is probably you talking about, going step by step through detailing what did they meant through those control objectives. You have to admit that is not giving you that guidance in a logical fasion as ITIL is giving to you, much more mapped onto the IT engineer mind as mine. Keep in mind if you want to cascade that info down to all IT peoples in organization, you have to go back to ITIL or either invent something. ITIL guidance I can relate it more to real IT life (of course with limits you have discussed much better into various postings, my favorite the Service Strategy).

Going back to the list of processes you have mention, I will pick up 2 of them, to comment, PO07 and PO10. What is the point of implementing PO07 in an IT organization? I never heard till now about an IT managing their IT human resources!! I always been at the mercy of an HR department with their own corporate rules. And PO10 you have to admit is nowhere a project management methodology.

I would rather reiterate that both can work very well toghether completing each other. I am surprised that you have not mentioned about COBIT Assurance Guide which will make PinkVerify looks occured.


Don't agree, coco

Hello Coco:

first of all, I must say that of course, you can have different opinions than the others, and you are welcome (oh! this is not my website, but I'm sure that this is the spirit that lives in this bits).

On the beginning of August I wrote a small post about this mapping in my blog, but this is a Spanish blog so I have a few visitors there. The post, translated by the infernal Google translation machine is here: and the original post is here:
I hope you can understand something from the translation.

In my opinion, what you have described about Cobit is only the Control Objectives definition (the big and known book), but Cobit is a set of books (exactly as the L in ITIL says) and we can find tons of guidance there. I agree that the format chosen for ITIL does it more readable and more understandable, but we must agree that Cobit covers more aspects than ITIL.

But for those aspects covered by both frameworks, they complement each other and it is a good idea to use both guidances and a big piece of common sense to filter.


Hi Coco I do mention the

Hi Coco

I do mention the assurance guide. Please read that other post - I make it clear that I am referring to COBIT as a body of knowledge, not COBIT 4.1. The COBIT suite of publications (as compared to just the framework) has great depth, growing all the time.

PO7 and PO10

PO07 talks about motivating staff, ensuring they get training, and matching them to roles and responsibilites. Not things I would like to abdicate to the HR department (who i ahve to admit our my least favourite people in most organisations ;-) ) A major failing of IT departments is not putting the effort into real management activity.

PO10 is not a project methodology, it is about ensuring the right methodologies are used.

Fit for governance?

Actually, where ITIL says that a service should be fit for use and fit for purpose, I'd say that CobiT adds the prerequisites for a 'fit for governance'. Without using that phrase specificly, CobiT does fill in the (steering of the) two governance components also described in ISO38.500 (Corporate governance for IT): performance and compliance/conformance.

I recently did an article about this with a colleague. It is in Dutch onfortunately (on the website of the Dutch magazine 'Computable'). The graphical mapping (ITIL to CobiT) is in English however.

You can find it on


@JamesFinister: You have confirmed that COBIT is just what you have to do; PO07 I mentioned in the context that in my experience I never seen an IT department taking full ownership of what is in there - that is in my opinion the reason of a lot of issues you have mentioned, because somedody else (HR) is claming that they do when in fact doesn't happen

@skeptik: yes, COBIT is more complete, free (for members), but complete in comparation with what? A lot of the items in there are not applicable in practice, similar with your opinion on CMDB. BTW in COBIT, DS9 is in fact the SACM and specifically DS9.1 describe the CMDB

@avallesalas: point taken Antonio, I liked the comparation betwen then and now. Just notice DS2 and DS4 are downgraded!! Strange, I thought that inventig a new process as Supplier Management will look better but in fact has downgraded ITIL.

In relation with DS7, I am walking on water now, but what if a complex algoritm like that one from market spaces run on resorces from service portfolio/catalog/CMDB, and a triger into the new evaluation process will not do the magic!!

Syndicate content