• Author / Uploaded
• Carlos Mogollón

Citation preview

ITIL® 4 and COBIT® Vishal Vyas

White Paper May 2019

Contents 1 Introduction 03 2 Putting it in perspective: IT governance and IT management 3 ITIL 4 and COBIT 2019: focusing on similar problems from different directions

03

03

4 ITIL 4 05 5 COBIT 2019 06 6 ITIL 4 and COBIT 2019: similarities in framework architecture

08

7 Synergy in components of the governance system and dimensions of service

09

management 8 Synergies between ITIL service value chain and COBIT goals cascade

10

9 Synergies between ITIL service value chain activities and COBIT domains

10

10 Synergies in ITIL practices and governance management objectives

11

11 ITIL 4 and COBIT 2019: how they are different

13

12 Conclusion 13 13 About the author 14

02 TIL® 4 and COBIT®

AXELOS.COM

1 Introduction In many areas of work there can be a conflict between doing the right thing or doing things right. In an IT environment, doing the right thing can be summarized in what the IT team decides to focus on to achieve the business aims. This is IT governance. When this has been decided, the IT team will focus on doing things right. In practical terms, this translates to how the IT team will carry out this task. This is IT service management.

2

Putting it in perspective: IT governance and IT management

There is a certain amount of confusion regarding the term IT governance. Some IT professionals mistakenly believe that IT governance is related to adhering to rules and regulations, as well as general bureaucratic tasks, that can act as. an impediment to normal operations. This view of IT governance is unfair and inaccurate. The truth is that IT governance works together with IT management. IT governance ensures that IT activities and processes are aligned with the overall objective, such as enterprise priorities. IT Management is the methods used by IT teams to meet these objectives. IT governance aims to achieve balance between IT performance and IT conformance. IT performance ensures that IT continually delivers value and meets consumers expectations in terms of cost, functionality and so on. IT conformance ensures that all of the rules and regulations are adhered to and that all risks are appropriately managed. IT performance and IT conformance can conflict with one another. For example, an excessive focus on IT conformance would be where the IT security department enforces a stringent password policy, where all passwords must be 32 characters long, include numbers, and changed daily. This would result in difficulties for the user. On the other hand, IT performance would enforce a lax password policy where passwords never expire, require four characters, and only include numbers would compromise IT security. IT governance would create systems to evaluate the various options available and then select the appropriate option. Thus, IT governance is the balance between IT performance and IT conformance.

3

ITIL® 4 and COBIT® 2019: focusing on similar problems from different directions

IT today is a much complex and continuously evolving entity than what it was just 20 years ago. Initially, the enormous efficiency improvements brought by IT to business processes was the key driver for the increasing use of IT in many areas. The increase in the number and quality of technology led to the use of IT in more complex and critical business processes. After a short amount of time, the industry was facing increasingly complex IT, which had become ubiquitous in industry segments, business domains, and processes. This complexity had been created due to the volume of material and the interdependencies of technologies on one another. Furthermore, there was an overabundance of stakeholders working simultaneously on the various aspects of IT design, creation, delivery, and consumption. There have been clear attempts by IT stakeholders to manage this complexity. ITIL is an example of this. Business stakeholders have also attempted to utilize IT to suit business objectives. This has been attempted through governance and control frameworks such as COBIT. The focus of ITIL has steadily evolved over the years. Currently, its objective is to deliver value to the customer in the form of services. The key objective is to understand parameters and needs involved in a good service delivery. This is viewed from the service provider’s perspective, looking at the client or business. The focus of COBIT has also evolved. Its key objective is to ensure services are delivering stakeholder value from a business perspective, looking at a service delivery engine. Essentially, COBIT and ITIL are two different methods at achieving the same objective. At a certain point these two frameworks will complement other.

AXELOS.COM

TIL® 4 and COBIT® 03

Governance is normally considered the study of ‘what’ an organization needs to achieve, whereas management is usually about ‘how’ to achieve it. In other words, COBIT is the governance framework and ITIL is the execution framework.

Figure 3.1 COBIT and ITIL interaction

4

ITIL 4

ITIL 4 acknowledges that there are various methods of managing and implementing IT. Hence, it does not prescribe definite processes and architectures, as this may be counterproductive to the specific service delivery environment. Instead, ITIL 4 builds upon the immense pool of existing knowledge of IT service management practices present in various organizations. At the same time making it flexible enough for organizations to use when and how they need it. ITIL 4 advocates that any service delivery and value creation effort should consider the four dimensions of service management as: zz organizations and people zz information and technology zz partners and suppliers zz value streams and processes. ITIL service value system consists of: zz Guiding principles: recommendations that can guide an organization in all circumstances, regardless of changes in its goals, strategies, type of work, or management structure. zz Governance: the means by which an organization is directed and controlled. zz Service value chain: a set of interconnected activities that an organization performs to deliver a valuable product or service to its consumers and to facilitate value realization. zz Practices: sets of organizational resources designed for performing work or accomplishing an objective. zz Continual improvement: a recurring organizational activity performed at all levels to ensure that an organization’s performance continually meets stakeholders’ expectations. 04 ITIL® 4 and COBIT®

AXELOS.COM

Figure 4.1 Service value system

The service value chain consists of six activities: zz plan zz improve zz engage zz design and transition zz obtain/build zz deliver and support.

5

COBIT 2019

COBIT has been one of the most popular options for anyone attempting to establish governance over IT service creation and delivery. COBIT also established creation through IT-enabled investments. There have been other attempts such as ISO 38500, OECD® principles, and the Cadbury report. However, these have not be as popular as COBIT, nor have they developed the large repository of knowledge as COBIT has. COBIT 2019 has been updated with new guidance, facilitating an easier and more intuitive implementation. This will strengthen COBIT’s continuing role as an important driver of innovation and business transformation. COBIT 2019 prescribes the six governance system principles as: zz provide stakeholder value zz holistic approach zz dynamic governance system zz governance distinct from management zz tailored to enterprise needs zz end-to-end governance system. COBIT 2019 product architecture consists of major components.

AXELOS.COM

ITIL® 4 and COBIT® 05

For information and technology to contribute to enterprise goals, several governance and management objectives should be achieved. These 40 governance and management objectives are grouped into five domains: zz EDM: evaluate, direct, and monitor zz APO: align, plan, and organize zz BAI: build, acquire, and implement zz DSS: deliver, service, and support zz MEA: monitor, evaluate, and assess. To satisfy governance objectives, each enterprise needs to establish and sustain a system built from some of the below components: zz processes zz organizational structures zz principles, policies, and frameworks zz information zz culture, ethics, and behaviour zz people, skills, and competencies zz services, infrastructure, and applications A focus area describes a certain governance topic, domain or issue that can be addressed by a collection of governance objectives and their components. For example: zz small and medium enterprises zz information security zz risk zz DevOps Organizations will need to adapt the following design factors to meet their requirements: zz enterprise strategy zz enterprise goals zz risk profile zz I and T related Issues zz threat landscape zz compliance requirements zz role of IT zz sourcing model for IT zz IT implementation methods zz technology adoption strategy zz enterprise size

06 ITIL® 4 and COBIT®

AXELOS.COM

6 ITIL 4 and COBIT 2019: similarities in framework architecture 6.1 GOVERNANCE IN COBIT 2019 AND ITIL SVS ITIL 4 service value system is an example of how various components in a service providers organization can come together to create value. One of the important components of ITIL SVS is governance. The principles of governance as discussed in COBIT are similar to some of the concepts discussed in ITIL 4. Evaluate, direct and monitor are the basic governance components accepted by both ITIL 4 and COBIT 2019.

6.2 GUIDING PRINCIPLES

Figure 6.1 Guiding principles

The 7 guiding principles of ITIL 4 should be considered in all areas of an organization. Some of the guiding principles in ITIL 4 have a close relationship with the governance system principles described in COBIT 2019 such as: Focus on value: the ITIL 4 guiding principle of focus on value is compatible with the COBIT 2019 governance principle of delivering stakeholder value. Both principles focus on value creation for the relevant stakeholders. Think and work holistically: the ITIL 4 guiding principle of think and work holistically is compatible with the COBIT 2019 governance principle of end-to-end governance system. Both principles state that value cannot be delivered by working in isolation but can only be created by focusing on all of the components that the enterprise puts in place to achieve its goals. Progress iteratively with feedback: ITIL 4 guiding principle of progress iteratively with feedback has some similarity with the COBIT 2019 governance principle of dynamic governance system. Both principles acknowledge that the management framework will be revised during its lifetime in response to a changing business environment.

AXELOS.COM

ITIL® 4 and COBIT® 07

7

Synergy in components of the governance system and dimensions of service management

ITIL 4 reinforces the principle that value cannot be created by independently implementing either processes or technology. The value creation must be brought about holistically to include the four dimensions of service management. These dimensions complement some of the components of the COBIT 2019 components of the governance system. Interestingly COBIT does identify partners/suppliers as one of the components of a governance system.

Figure 7.1 Interaction between governance system and service management

Organizations and people: this dimension is closely associated with the COBIT 2019 component of organization structures, people skills, and competencies. Information and technology: this dimension is closely related with the COBIT 2019 component of information, service infrastructure, and applications. Value streams and processes: this dimension is closely related with the COBIT 2019 component of processes, principle policies, and procedures.

08 ITIL® 4 and COBIT®

AXELOS.COM

8 Synergies between ITIL service value chain and COBIT goals cascade To create value, six activities of the ITIL service value chain draw upon other organizational components. These activities are non-linear, and do not have a definite sequence or definite start and end points. The value creation journey will be different for every value creation instance. A similar concept can be observed in COBIT 2019 governance and management objective. The localization and customization of service value chain is a key point emphasized in ITIL 4. The requirements that need to be met must be determined before embarking on a service value chain for value creation. This will determine the sequence of activities. A similar process ensures the localization and customization of application of COBIT through a goal cascade methodology. The organization must understand what the enterprise goals and priorities are, before embarking on the application of governance controls and processes. There are 13 such enterprise goals identified in COBIT 2019. Once selected it can be mapped on to the alignment goals; which there are 13 of, that IT is expected to achieve, to contribute to value creation. These alignment goals; which there are 40 of, can then be used to decide which governance objectives need to be worked on to improve the governance systems within the organization. The similarities between the two frameworks can be observed at a very high level. Both frameworks consider business objectives and focus on value creation as a starting point. Yet, they are both trying to achieve a different purpose.

9 Synergies between ITIL service value chain activities and COBIT domains ITIL 4 service value chain activities will use a different combination of ITIL practices to create value. This is fairly similar to the governance and management objective in the five domains in COBIT. COBIT align, plan, and organize and ITIL service value chain plan activity: these two frameworks complement each other as the grouped processes/practices focus on all of the planning activities within an organization, such as projects, services, enterprise architecture, and so on. COBIT build, acquire, and implement (BAI) and ITIL service value chain design/transition build/obtain activity: COBIT domain BAI complements ITIL SVC activities of design/transition in areas such as requirement definition, availability, capacity, and so on. COBIT domain BAI also complements ITIL SVC activities of build/acquire in areas such as managed IT assets, configuration, solution acceptance, and so on. COBIT deliver service support (DSS) and ITIL service value chain deliver and support activity: these two are perhaps the most complementary activities in COBIT and ITIL 4. Both focus on areas such as service requests, problems, incidents, and so on.

AXELOS.COM

ITIL® 4 and COBIT® 09

10 Synergies in ITIL practices and governance management objectives Both ITIL 4 and COBIT are frameworks that have similar objectives yet attain them through different perspectives. One to one mapping of processes is neither possible nor advisable. However, there are certain similarities that can be used to complement one another. COBIT has taken an open approach in articulating the scope of its influence. When necessary, it also does not shy away from guiding users to other appropriate frameworks, standards, and processes. COBIT 4.1 and COBIT 5 have a related guidance outline. COBIT2019 takes a step further in this direction. In the description of governance and management objectives, each objective points to a ‘related guidance’ and ‘detailed reference’. Hence, it has become easier for practitioners to combine the governance directions from COBIT, with the activities in ITIL, to create a comprehensive solution. Nonetheless, in the current version of COBIT 2019 each objective is mapped to ITIL v3 processes. The below table is a high-level overview of how COBIT 2019 governance and management objectives are mapped to ITIL 4 practices. It should be noted that this is a very high-level chart showing similarities and should not be considered as an exact cross-reference of all of the content/activities within both of the frameworks. Its intention is to show how the implementation of ITIL practices in an organization will support governance implementation efforts.

10 ITIL® 4 and COBIT®

AXELOS.COM

Table 10.1 COBIT 2019 objectives compared to ITIL 4 practices

COBIT 2019 governance and management objective EDM03 Ensured risk optimization APO02 Managed strategy APO03 Managed enterprise architecture APO05 Managed portfolio APO06 Managed budget and costs

ITIL 4 practices Risk management Strategy management Architecture management Portfolio management Service financial management

APO07 APO08 APO09 APO10 APO12

Managed human resources Managed relationships Managed service agreements Managed vendors Managed risk

BAI02

Managed requirements definition

BAI03

Managed solutions identification and build Managed availability and capacity

Workforce and talent management Relationship management Service level management Supplier management Information security management (partial), Risk management Business analysis, software development, and management Service design

BAI04

Managed service requests and incidents Managed problems Managed continuity Managed security services

Availability management, capacity, and performance management Organizational change management Change control Release management, deployment management Knowledge management IT asset management Service configuration management Project management Infrastructure and platform management (partial) Incident management, service desk, service request management Problem management Service continuity management Information security management,

MEA01

Managed performance and conformance monitoring

Continual improvement, measurement and reporting

MEA02

Managed system of internal control

Information security management, (partial)

BAI05 BAI06 BAI07 BAI08 BAI09 BAI10 BAI11 DSS01 DSS02 DSS03 DSS04 DSS05

Managed organizational change Managed IT changes Managed IT change, acceptance, and transitioning Managed knowledge Managed assets Managed configuration Managed projects Managed operations

Measurement and reporting (partial)

AXELOS.COM

ITIL® 4 and COBIT® 11

11 ITIL 4 and COBIT 2019: how they are different COBIT 2019 focuses on the overall enterprise when creating and managing the governance system. On the other hand, ITIL 4 focuses on even the smallest opportunities of value creation between service providers and service consumers. Thus, COBIT 2019 is concerned with the system, whereas ITIL 4 is concerned with every process within the system regardless of its size. ITIL 4 has continuously developed by applying an active and modular approach towards IT service management. Consequently, ITIL 4 can be used by any organization to manage and improve its IT services at all levels and at any size. COBIT 2019 is equally comprehensive in its coverage of IT governance. However, unlike ITIL 4 it would be difficult to scale down COBIT 2019 for use in a smaller organization. Yet, ITIL 4 and COBIT 2019 have been created for different purposes, so it would be unrealistic to expect them to apply to the same situation.

12 Conclusion Organizations need to take a comprehensive view of IT services and govern them with the assistance of a robust governance framework. Moreover, the framework will need strong support from the top of the organization to achieve its aims. I once worked on an interesting project in a large government organization using multiple frameworks. ITIL for Service Delivery, CMMI for Application development, PMBoK for Project Management, TOGAF for enterprise architecture, and so on. Each department was satisfied with their own management framework. However, senior management was finding it difficult to create an enterprise wide performance picture for enabling strategic decisions. We successfully used COBIT as an integrator framework to correlate and map the other frameworks and project the enterprise level performance dashboard without disturbing the other frameworks already in use. Further details can be found at http://www.isaca.org/COBIT/focus/Pages/dubai-customs-cobit-5-implementation. aspx [Accessed on 23 May 2019] It is evident that COBIT 2019 can work in harmony with ITIL 4 in any complex IT environment. Particularly, the implementation of a COBIT governance system will be greatly supported by the existence of ITIL 4 practices in that IT environment Whereas COBIT 2019 focuses on governance of enterprise IT, ITIL 4 focuses on management and execution of IT in the enterprise for value creation. Enterprises should use COBIT 2019 for deciding the ‘what’ part of the IT service value equation and should depend on ITIL 4 for seeking answers to the ‘how,’ ‘when,’ and ‘where’ questions. Both frameworks can be applied in a specific environment to work together. The presence of one in a certain environment will benefit the implementation of the other.

12 ITIL® 4 and COBIT®

AXELOS.COM

References AXELOS (2019). ITIL® Foundation, ITIL 4 edition. London: The Stationary Office ISACA (2018). COBIT® 2019 Design Guide. Schaumburg: ISACA ISACA (2019). COBIT® 2019 Framework: Introduction and Methodology. Schaumburg: ISACA ISACA (2018). COBIT® 2019 Implementation Guide. Schaumburg: ISACA Vyas, V, GEIT. Al Ghaith, J. Al Yaqoobi, A, PMP. Hasan, SJ. (18 January 2016) Dubai Customs COBIT 5 Implementation. COBIT Focus, [online]. Available at: http://www.isaca.org/COBIT/focus/Pages/dubai-customs-cobit-5-implementation.aspx [Accessed 20 May. 2019]

13 About the author Vishal is Chief Solutions Officer at Knowlathon, heading global consulting and coaching practice on IT Governance and IT Service management. He has delivered sessions and projects in over 24 countries over 15 years. He is passionate about coaching teams and organizations on ITSM, IT governance, and risk management to co-create unique solutions for complex and challenging environments. Vishal is especially adept at mentoring consultants and instructors to deliver high impact sessions and consulting assignments. He also actively participates in industry forums to create knowledge resources for advancement of public knowledge and understanding of best practice frameworks.

AXELOS.COM

ITIL® 4 and COBIT® 13

14 About AXELOS AXELOS is a joint venture company co-owned by the UK Government’s Cabinet Office and Capita plc. It is responsible for developing, enhancing and promoting a number of best practice methodologies used globally by professionals working primarily in project, programme and portfolio management, IT service management and cyber resilience. The methodologies, including ITIL®, PRINCE2®, PRINCE2 Agile®, MSP®, RESILIA® and its newest addition AgileSHIFT® are adopted in more than 150 countries to improve employees’ skills, knowledge and competence in order to make both individuals and organizations work more effectively.  In addition to globally recognized qualifications, AXELOS equips professionals with a wide range of content, templates and toolkits through the CPD aligned My AXELOS and our online community of practitioners and experts. Visit www.AXELOS.com for the latest news about how AXELOS is ‘Making organizations more effective’ and registration details to join AXELOS’ online community. If you have specific queries, requests or would like to be added to the AXELOS mailing list please contact [email protected].

15 Trade marks and statements AXELOS®, the AXELOS swirl logo®, ITIL®, PRINCE2®, PRINCE2 Agile®, MSP®, M_o_R®, P3M3®, P3O®, MoP®, MoV®, RESILIA® are registered trade marks of AXELOS Limited. AgileSHIFT® is a trade mark of AXELOS Limited. All rights reserved. Copyright © AXELOS Limited 2019. COBIT® is a registered trademark of ISACA Image credits: ©Getty/Fuse, Figure 4.1 AXELOS (2019). London: The Stationary Office. Figures 3.1, 6.1, and 7.1 were created by the author Reuse of any content in this White Paper is permitted solely in accordance with the permission terms at https://www.axelos.com/policies/legal/permitted-use-of-white-papers-and-case-studies A copy of these terms can be provided on application to AXELOS at [email protected] Our White Paper series should not be taken as constituting advice of any sort and no liability is accepted for any loss resulting from or use of or reliance on its content. While every effort is made to ensure the accuracy and reliability of information, AXELOS cannot accept responsibility for errors, omissions or inaccuracies. Content, diagrams, logos and jackets are correct at time of going to press but may be subject to change without notice. Sourced and published on www.AXELOS.com

AXELOS.COM

TIL® 4 and COBIT® 14