ITIL or COBIT or something else? Which should organizations choose?

I have been to a number of IT service management conferences recently, and heard people explaining why they think organizations should use ITIL, or COBIT, or ISO/IEC 20000. I think this is the wrong way of looking at things, and that every IT organization should use all of these, and more, to build their management system.

Each of these frameworks and management system standards has value to offer, and they have different strengths and weaknesses. If you just pick one of them, you will miss out on some great guidance and your management system will be missing some important characteristics.

For example, implementing ITIL provides lots of detailed guidance on implementation of processes, but is fairly weak on governance and goal setting. On the other hand, COBIT 5 while very strong on governance and goal setting does not provide much detail on process implementation; and ISO/IEC 20000, which provides concise information about what the IT organisation should do, offers little guidance on how to set about actually doing it.

Here’s a brief summary of differences between ITIL, COBIT 5 and ISO/IEC 20000. I’m sure that supporters of each of these approaches will disagree with my summary, but this is how I see them:

freshservice-cobit-vs-itil-vs-iso-iec 2000-comparison

How wrong focus creates problems instead of solving them

Making sure that your organization is familiar with several sources of guidance instead of just one may seem counter-intuitive. Isn’t it much simpler, less time consuming, and more effective to choose just one and develop expertise in that?  Actually, in my experience, it’s not. IT organizations that run an “ITIL project” or a “COBIT project” tend to focus on the suggestions in that guidance, rather than on the needs of their own organization.


Source: The Sysadman Diaries

This misplaced focus tends to result in the development of bureaucratic management systems.  The changes proposed by such projects are too often imposed on, rather than embraced by IT staff; and too often they create little value for the organization that implements them.

When the outcomes of an improvement project are disappointing, any guidance used to create it tends to get a bad name. What’s more disappointing – the outcomes also tend to make people cynical about future projects to improve practice. What you should do is begin with your organization’s needs. Use suggestions from best practices and standards, but only when you are confident that they will help you implement a service improvement project which has clear business goals that you can measure and report to your stakeholders. Depending on the goals you are trying to achieve you will probably find that you end up wanting to include suggestions from one or more of the sources of guidance I have been writing about.

How can you combine different sources of guidance in your management system?

Obviously, this depends on what you are trying to do. For example, if your customers and users are not satisfied with how you manage and resolve incidents then you could decide to improve your processes for incident and problem management. Your goals could be to improve customer satisfaction, to reduce the amount of time it takes to resolve incidents, or even to reduce the number of incidents that have an impact on users. In this case, I would strongly recommend that you read and understand the guidance in ITIL, which is very strong in these areas and think about how you could use some of the ITIL ideas to improve how you work. But you should also read the relevant parts of COBIT, to get some ideas for possible process goals, metrics, activities, inputs, and outputs.

After you have read and thought about the guidance you will be well placed to make improvements that are tailored to meet your own specific needs. What you should end up with is an improved process that is right for you, that fits your culture and supports your organization’s goals. The process may be based on ideas from ITIL and COBIT, but your staff should see it as your process and should understand how it helps them deliver value to your customers.

ISO/IEC 20000 is somewhat different, since the requirement to achieve certification may come from outside the IT department, as a marketing or customer relationship initiative, in which case achievement of the certification may be a goal in itself. Even in this case, if you want real value from a project to achieve ISO/IEC 20000 certification then it is not just the certificate you need to focus on; you also need to think about how the improved processes will help you to deliver better value to your customers. Your improved processes must ensure you meet the requirements of the standard, but you may find that by using ideas from ITIL and COBIT to help you design the details, you maximize the value of achieving the certification.

Are there any other frameworks or standards I should be using?

There are lots of different frameworks and best practices that you can use to help you manage IT services. In addition to ITIL, COBIT, and ISO/IEC 20000 you could think about using ideas from:

ISO/IEC 27001 – the international standard for information security management If you are running IT services then you must make sure you understand the requirements for information security, and take these into account in designing your management system.

Agile – a development methodology that divides projects into short phases, each of which delivers valuable outcomes. Agile can provide a great framework for an ITSM improvement project, helping you to rapidly deliver measurable value in small increments.

Kanban – a methodology for managing work in progress, to optimize the use of resources. Kanban can provide a great way to manage the workload of technical people in an IT department, ensuring that you get maximum value from your limited resources.

PRINCE2 and PMIproject management methodologies. Every IT department manages lots of projects, and you need formal project management methodologies to ensure you get value from these.

In conclusion

You can probably think of many more best practices, frameworks and standards that could help you create value for your customers. Don’t be scared to include ideas from any approach that can help you do a great job. Remember that what you are creating is not an ITIL management system or a COBIT management system, it is your management system which you are designing to help you create value for your customers.

You can take the best suited practices from different standards and frameworks and combine them into a system that works for you, rather than strictly following a single framework.

Leave a Reply

Your email address will not be published. Required fields are marked *

9 thoughts on “ITIL or COBIT or something else? Which should organizations choose?

  1. Regarding ISO20K, this is a gem: “Even in this case, if you want real value from a project to achieve ISO/IEC 20000 certification then it is not just the certificate you need to focus on; you also need to think about how the improved processes will help you to deliver better value to your customers. Your improved processes must ensure you meet the requirements of the standard, but you may find that by using ideas from ITIL and COBIT to help you design the details, you maximise the value of achieving the certification.”

    The certification is a stepping stone, as the achievement of it may change culture and behaviors to a degree.

    1. I’m not sure you’re right Rob. I think it depends on their level of maturity and the history of how they got to where they are.

      I understand how COBIT could make a great umbrella to help an organization see how all aspects of a management system tie together, but COBIT practitioners tend to be so strongly focussed on governance and compliance that it can be hard to get the help needed to make this work in practice.

      1. Well there are a few more generalists like me using COBIT 🙂 And those audit/compliance specialists are often EXACTLY who is needed to help understand an uber-framework and why it is needed and what the current capability is.

        ITIL still has a huge role to play. COBIT is the big-picture CEO and ITIL is their deep-thinking key lieutenant. I just think COBIT should call the shots. It is concise, decisive, holistic, and gets to the point

        1. I absolutely agree that this is a valid model Rob, and it can work very well.

          I also think that COBIT is not the right framework for some organizations and that each organization needs to decide for itself which standards and best practices will help to meet their needs.

          1. Yeah 100% agree horses for courses.
            Often ITIL is a given, no use discussing it.
            if there is room for debate, I’ll always put the COBIT case 🙂

            And if they want an ITIL assessment I have to send them to another consulting group 🙁 so I’m hardly incented to promote ITIL

  2. Stuart- I agree – IMHO the business needs to know
    their goals, objectives and expectations. A business should apply due diligence in defining what tools or methods to use moving forward with any change.

    With that said each downstream
    group also needs to know their own environment well enough to collectively
    and iteratively couple with upstream leadership. The human element
    always governs technology – the lights can blink all day long , process,
    procedure , governance and direction can either hurt or help the business.