COBIT Vs. ITIL: Which Framework Works Best For Cybersecurity?

Jake Olcott | February 11, 2016 | tag: Vendor Risk Management

COBIT and ITIL are information technology management and IT governance frameworks, and both are popular around the world. They were created to provide management and guidance for IT services in businesses of all sizes.

Below, we’ve summarized the “COBIT vs. ITIL” discussion and explained the primary differences between the two frameworks.

What is COBIT 5?

Originally a loose acronym for “Control Objectives for Information and Related Technology,” COBIT is now only referred to in its short form. It was created by ISACA and first released in 1996. The most recent version — COBIT 5 — was released in 2012. It is a general framework built for IT professionals and provides a high-level outline of good security practices that help companies understand IT benefits and risks.

There are five principles that make up COBIT:

  1. Meeting stakeholder needs. This is incredibly general, but COBIT points out that meeting the needs of the stakeholder while still meeting the needs of the company is valuable.
  2. Covering the enterprise end-to-end. You must have a complete solution—not just pieces here and there. It’s important to take an in-depth look at network devices, endpoint solutions, as well as signature, non-signature, and heuristic base protection (and much more).
  3. Applying a single integrated framework. This isn’t to say you need only a single vendor for your framework, but rather that your framework must be organized and well thought-out.
  4. Enabling a holistic approach. You must have a plan of action that attacks an IT problem at multiple angles.
  5. Separating governance from management. Governance ensures that there is oversight, while management deals with the necessary processes and steps needed.

What is ITIL?

Created by Axelos, the Information Technology Infrastructure Library (ITIL) takes a much more specific approach than COBIT. It’s a checklist of sorts and details what those in the security space should be doing in particular areas of importance. ITIL has released five core publications that detail out their catalog of best IT practices:

To learn more about ITIL, check out their quick video: ITIL in 100 seconds.

Security is just one of the several categories that ITIL covers, and there’s quite a bit of information that is infrastructure-related. The framework goes through specific controls that should be in place, like how to handle proper password management and industry-specific compliance requirements that must be met, such as PCI or HIPPA.

COBIT Vs. ITIL: Primary Differences To Consider

New Call-to-actionThe primary difference between these two frameworks is that COBIT is general and ITIL gets into more specific recommendations. In my experience, COBIT isn’t brought up very often, because its recommendations are general best practices. I’m asked more frequently about the SANS critical security controls than about COBIT.

Because it provides more concrete information about what you should be doing to protect your organization, ITIL may be the more practical cybersecurity framework. IT security professionals certainly agree that high-level discussions around cybersecurity are important, but also want to be able to look through specific explanations and examples.

Trust, but verify.

Frameworks like COBIT and ITIL suggest certain best practices, like endpoint protection or firewall setup. It’s important that these suggestions are taken into consideration and, in many instances, implemented. And while this implementation of suggestions from these frameworks is an important cybersecurity practice, there’s no way to verify that they’re actually working.

This is where continuous monitoring solutions come into play. With continuous monitoring software, you’re able to determine whether the frameworks you or your vendors ascribe to are working or if something is misconfigured and allowing for cybersecurity vulnerabilities. Selecting a framework is important, but validating that the framework is correctly implemented is even more so. Take a look at BitSight Security Ratings for more details.

Need some assistance with the creation of your vendor security risk assessment? This ebook will give you a strong head start.


Suggested Posts

BitSight Integrates With ServiceNow to Reduce Risk Throughout Vendor Management Programs

Organizations rely on third-parties to keep competitive in the marketplace. The EY global third-party risk management survey highlights that in 2019–20, over 33% of the 246 global companies surveyed were managing and monitoring...


5 Best Practices for Conducting Cyber Security Assessments

Third parties are essential to helping your business grow and stay competitive. But if you’re not careful, your trusted partnerships can introduce unwanted cyber risk and overhead into your organization.


5 Tips to Improve Cyber Security Monitoring of Your Vendors

What’s the biggest struggle your vendor risk managers face when establishing cyber security monitoring processes? From sudden increases in the use of third-parties by your organization, to not knowing which vendors might be impacted by...


Get the Weekly Cybersecurity Newsletter.