For general information and resources, ITIL and ITSM World is the most well known for both ITIL and ITIL Books. A shorter snapshot approach can be found at ITIL Zone
Note: ® ITIL is a registered trademark of OGC. This portal is totally independent and is in no way related to them. See our Feedback Page for more information.
Joined: Jun 20, 2004 Posts: 1 Location: United Kingdom
Posted: Sun Jun 20, 2004 11:35 pm Post subject: ITIL, COBiT & Sarbanes-Oxley
Our US headoffice is about to embark on a project to become Sarbanes-Oxley compliant. I am the IT manager of the UK division and have recently completed the ITIL Foundation and as such want implement this framework throughout our European locations.
I have read up on the Sarbanes-Oxley act and notice that it uses COBiT as the framework. Has/is anyone in a similar position? How does ITIL fit in with the SOX act and what are the requirements of UK divisions of US companies. Would we be better using COBiT in the UK or can we use a mix of both? I would like to discuss/exchange ideas on this subject.
Joined: Jun 21, 2004 Posts: 5 Location: Malvern, UK
Posted: Tue Jun 22, 2004 12:54 am Post subject:
There is a lot of ligislation 'heading our way' SOX being one of them, and a plethora of UK and EU directives.
It's all about strengthening controls about the ways companies work and report after a number of high-profile collapses for some major US companies. It can be summarised as: To potect investors by improving the accuracy and relibility of corporate disclosures made pursuant to the securities laws, and for other purposes
So, the CFO has his/her 'neck on the block' on this one.
Now, on the other hand, the vast majority of this information required is in the IT systems, and it is seldom that the CIO has 'free reign' over the domain he looks after (IT Department)
This leads to a disconnect between CFO and CIO in terms of their responsibilities: imagine, the CIO being 'hauled off to jail', because the CFO failed to provide the budget to enable the CIO to comply.
A lot of CIO's are extremely interested in IT/IS Governance - which people are writing whole volumes about.
But back to the immediate question: ITIL & COBIT.
IT Service delivery is concerned with the operational aspects of the IT function, providing an efficient and continuous service that meets the requirements of the organisation. This involves aspects such as systems availability, systems integrity, network security, identity and access management and Business Continuity.
This is a key area of compliance for SOX. And this covers both ITIL and COBIT.
If you focus on just one thing, say security (COBIT), how will that impact on availability, business continuity?
You actually have to do both. I actually think that once this is realised, it will be an enormous boost for ITIL.
What does seem to be happening in the marketplace today is that companies are buying tools to help them comply (Risk Management, Portfolio Management, Change Management and Balanced Scorecard Software), as they 'have to comply'. This will not get around the proces issues (well, in my humble opinion).
To do it right, well, you have to actually do it right, and that means investment for tools and COBIT and ITIL, and that is big, so you need a sound ROI and a business case to convince the C-level.
Posted: Thu Aug 19, 2004 6:56 am Post subject: ITIL & SOX & ISO
Greetings. SOX compliance is quite compatible within a QMS framework (e.g. going for ISO 9001:2000), and a real plus as it is very possible to scope the financial world out of ones ISO scope, but now they have to "play" along with the rest of us (given that IT was always in scope, at least for my company as it helped in the product/service delivery cycle). Once we have our SOX-compliant procedures in place and have gotten our 3rd party auditting firm to do its 4th quarter testing, I am going to transfer all of the SOX-based SOPs or Work Instructions into the QMS - this is something that my CEO wants and supports.
What I am wrestling now with is the compatibility with the ITIL approach and a pre-existing (but not yet cast in concrete) QMS structure. Has anyone been through that particular experience, or have any words of wisdom?
Wow - I really think this is an actual cutting edge debate. I too would love to hear ANY first hand experiences. There can't be too many going down this line, so we may have a bit of a wait. But any input on this is valued.
In my previous life as a CIO, I have been through the documentation of processes to track the flow and security of financial information deemed critical by our organization. This is the gist of SOX compliance. I used a really cool workflow management tool called Autobahn by NewRoad Software to track and notify if certain criteria were out of compliance.
I heard they have a booth at the ITSMF conference in Long Beach later this month.
Let me know if you need further information and I will try and help.
tim.seiter@conexio.com
Posted: Wed May 18, 2005 10:58 pm Post subject: ITIL and COBIT
Here is how it was explained to me...
- 1st and foremost, ITIL is not a standard as everyone knows. As a result, auditors are asking you to be 'ITIL compliant'. They're asking you to comply with something else.
- COBIT is an IT Governance initiative
- COBIT doesn't actually specify HOW to implement processes, just what they should accomplish
- COBIT auditors utilize ITIL as a framework during the auditing process
- ITIL does the HOW with respect to the goals of COBIT
- As a result, companies are moving towards ITIL to comply with both COBIT and other IT initiatives.
close. ITIL is the What, the framework as you indicated in your first phrase. It just lays out the basic framework, as a house.
How you build the house, the number of windows, the shape of the house, the number of rooms, size of rooms, etc is the HOW and that is CoBit.
ITIL will say you need a louvre, or bathroom, or toilet, or whatever you call it, and it needs a handle, the ability to flush, etc. COBIT will tell you the handle needs to be brass, the toilet needs to be 18 inches away from the wall and the capacity based on the people using it. 20 construction workers will need a different type of toilet than a 7 year old girl, but they both need to flush the deposits.
close. ITIL is the What, the framework as you indicated in your first phrase. It just lays out the basic framework, as a house.
How you build the house, the number of windows, the shape of the house, the number of rooms, size of rooms, etc is the HOW and that is CoBit.
ITIL will say you need a louvre, or bathroom, or toilet, or whatever you call it, and it needs a handle, the ability to flush, etc. COBIT will tell you the handle needs to be brass, the toilet needs to be 18 inches away from the wall and the capacity based on the people using it. 20 construction workers will need a different type of toilet than a 7 year old girl, but they both need to flush the deposits.
Close. However ITIL would be about what you said above(Bathroom Scenario). COBiT would say, you need controls in place to ensure only appropriate and authorized people can flush that toilet. And that you have controls in place to detect who flushed that toilet, ... but enough of the sarcasm.. sorry
ITIL is a bit more specific as it relates to roles and responsibilities and activities within a Process. COBiT states the tasks that are vital activities within a process, such that there needs to be a way to show evidence that this activity is occurring.
e.g. Change Management (ITIL) or Manage Changes (COBiT - AI6)
Cobit Says (snippets): to have controls to ensure all Changes are recorded, calssified, prioritized, Risks and impacts are asssessed, ...
ITIL Says, when recording changes, you should record the CI to be changed, cost and benefit of change. In addition, prioritization should be something like low, med, high(with examples of what these mean), Categories of impact are like minor, substantial, major (with descriptions also)..
So basically Cobit would say a Change request needs to have a priority, ITIL would help you decide what priority levels you should have, COBiT, would say all changes need to be authorized, ITIL would say here is a good process for Authorizing changes...
ITIL is giving a lot more from a content perspective and the HOW. COBiT is very high level and does not touch on the HOW, just the WHAT.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Forum FAQ
Search
Usergroups
Profile
Log in to check your private messages
Log in
