COBIT Vs. ITIL: Which Framework Works Best For Cybersecurity?

COBIT and ITIL are information technology management and IT governance frameworks, and both are popular around the world. They were created to provide management and guidance for IT services in businesses of all sizes.

Below, we’ve summarized the “COBIT vs. ITIL” discussion and explained the primary differences between the two frameworks.

What is COBIT 5?

Originally a loose acronym for “Control Objectives for Information and Related Technology,” COBIT is now only referred to in its short form. It was created by ISACA and first released in 1996. The most recent version — COBIT 5 — was released in 2012. It is a general framework built for IT professionals and provides a high-level outline of good security practices that help companies understand IT benefits and risks.

There are five principles that make up COBIT:

  1. Meeting stakeholder needs. This is incredibly general, but COBIT points out that meeting the needs of the stakeholder while still meeting the needs of the company is valuable.
  2. Covering the enterprise end-to-end. You must have a complete solution—not just pieces here and there. It’s important to take an in-depth look at network devices, endpoint solutions, as well as signature, non-signature, and heuristic base protection (and much more).
  3. Applying a single integrated framework. This isn’t to say you need only a single vendor for your framework, but rather that your framework must be organized and well thought-out.
  4. Enabling a holistic approach. You must have a plan of action that attacks an IT problem at multiple angles.
  5. Separating governance from management. Governance ensures that there is oversight, while management deals with the necessary processes and steps needed.

What is ITIL?

Created by Axelos, the Information Technology Infrastructure Library (ITIL) takes a much more specific approach than COBIT. It’s a checklist of sorts and details what those in the security space should be doing in particular areas of importance. ITIL has released five core publications that detail out their catalog of best IT practices:

To learn more about ITIL, check out their quick video: ITIL in 100 seconds.

Security is just one of the several categories that ITIL covers, and there’s quite a bit of information that is infrastructure-related. The framework goes through specific controls that should be in place, like how to handle proper password management and industry-specific compliance requirements that must be met, such as PCI or HIPPA.

40 questions vendor risk ebook

With this ebook, we'll help you prioritize which vendors need the most attention with an in-depth security assessment – such as those with low security ratings, or critical vendors that maintain constant contact with your company’s systems. 

Download eBook
Button Arrow

COBIT Vs. ITIL: Primary Differences To Consider

The primary difference between these two frameworks is that COBIT is general and ITIL gets into more specific recommendations. In my experience, COBIT isn’t brought up very often, because its recommendations are general best practices. I’m asked more frequently about the SANS critical security controls than about COBIT.

Because it provides more concrete information about what you should be doing to protect your organization, ITIL may be the more practical cybersecurity framework. IT security professionals certainly agree that high-level discussions around cybersecurity are important, but also want to be able to look through specific explanations and examples.

Trust, but verify.

Frameworks like COBIT and ITIL suggest certain best practices, like endpoint protection or firewall setup. It’s important that these suggestions are taken into consideration and, in many instances, implemented. And while this implementation of suggestions from these frameworks is an important cybersecurity practice, there’s no way to verify that they’re actually working.

This is where continuous monitoring solutions come into play. With continuous monitoring software, you’re able to determine whether the frameworks you or your vendors ascribe to are working or if something is misconfigured and allowing for cybersecurity vulnerabilities. Selecting a framework is important, but validating that the framework is correctly implemented is even more so. Take a look at BitSight Security Ratings for more details.

Need some assistance with the creation of your vendor security risk assessment? This ebook will give you a strong head start.