When approaching IT Governance, there are a number of frameworks, maintained by various governing bodies that reflect the experience of hundreds of organizations. However three frameworks appear quite frequently:
Recently, ISACA has released COBIT 5 – the latest version of its internationally recognized “Business Framework for the Governance and Management of Enterprise IT.” COBIT, initially an acronym for ‘Control objectives for information and related technology’ defines 34 generic processes to manage IT. Each process is defined together with process inputs and outputs, key process activities, process objectives, performance measures and an elementary maturity model.
COBIT 5 provides an end-to-end business view of the governance of enterprise IT. It reflects the central role of information and technology in creating value for enterprises. The framework supports governance of IT by defining and aligning business goals with IT goals and IT processes. The principles, practices, analytical tools and models found in COBIT 5 embody thought leadership and guidance from business, IT and governance experts around the world.
The IT Infrastructure Library or ITIL® was maintained until 2010 by the United Kingdom’s Office of Government Commerce (OGC). Since 2010, it is owned by the British Government.
ITIL is a set of practices for IT service management that focuses on aligning IT services with the needs of business. In its current form – ITILv3 and ITIL 2011 edition – the standard is published in a series of five core publications. Each publication covers an IT service management lifecycle stage: Service Strategy, Service Design, Service Transition, Service Operation, and Continual Service Improvement.
ITIL is a widely accepted approach to IT service management. Providing a cohesive set of best practice guidance drawn from the public and private sectors across the world, it has recently undergone a major and important refresh process.
ISO 17799’s full title is the “Information Technology – Code of Practice for Information Security Management.” The ISO first released it in December 2000. However, it was originally published by a government department in the United Kingdom, on the basis of British Standard 7799 (BS 7799). The standard was intended to focus on security and assist organizations to create an effective IT security plan. In 2005, ISO 17799 was re-published, to reflect changes in technology.
ISO 17799 lists a number of specific security controls that may be applicable to an IT environment. Selection from these controls is normally performed via risk assessment, and the methods outlined within ISO 27001. ISO 17799 and ISO 27001 are already global standards, with established compliance and certification schemes in place.