Why COBIT wins in a showdown with ITIL
I like ITIL. I use it quite a bit. But it puzzles me why ITIL is the default source of
bestgood, generally accepted practice for IT processespractices. Often people talk as if it is the only source.
My default source of IT good practice is COBIT. It wins over ITIL, hands down.As a consultant, COBIT is my first-choice body of knowledge for my engagements. I go to it first to assess, to frame, to define, to justify, to audit. I turn to ITIL second, when I need more detail, or when I need the authority of the holy of holies to justify what I suggest. I presented this at the Pink Elephant 2012 conference, in a session called Showdown of the Methodologies.
For me it is a no-brainer to reach for COBIT first and most often:
- Purpose. ITIL is an ITSM framework. COBIT is an IT practice (and now governance) framework. ITSM has grown to mean "all of IT management seen from a service perspective" but that service slant or bias remains. COBIT is intended to be a comprehensive description of all IT practices. It may not do that perfectly but it comes much closer than ITIL because it doesn't constrain itself to ITSM. Which leads us to...
- Coverage. According to “Aligning CobiT® 4.1, ITIL® V3 and ISO/IEC 27002 for Business Benefit” which was issued jointly by ISACA and OGC (co-written by the ITIL Refresh Chief Editor and reviewed by the ITIL Chief Architect), ITIL covers less than half of COBIT's range and only completely covers about a quarter of the practices (8 of the 34 COBIT processes) ...and that's COBIT 4.1. I bet COBIT 5 opens the gap even further.
- Rigour. ITIL is the Hitchhikers' Guide, COBIT is the Encyclopaedia . ITIL's narrative style (no really, compared to other frameworks it is downright chatty) may appeal, but as a foundation for my consulting activities the rigour and structure of COBIT is more dependable and useful. COBIT is systematically numbered; and every entity has a consistent structure. I actually find the formal COBIT structure much easier to use than the ITIL rambling: I find answers quicker, I get clearer concepts with less confusion, and I frame things readily.
- Benchmark. You can assess against COBIT; it has clearly defined requirements. That was one of COBIT's early drivers for adoption: auditing IT for SOx compliance. COBIT auditors/assessors are certified (CISA). To assess against ITIL you need to go to proprietary benchmarks (including TIPA, not to be confused with my Tipu). ISO20000 compliance is not the same thing as ITIL "compliance".
- Credibility. COBIT is written by a team, not a couple of authors per book. The same team for all the books. And then the list of all COBIT contributors and reviewers runs to pages. It is owned and published by a not-for-profit membership body set up and run by auditors, process geeks and security wonks. Its governance (and discretion) rocks. Unfortunately ISACA is American-centred but you can't have everything.
- Accessibility. COBIT is low cost (see below) compared to ITIL. There is a copyright and trademark waiver for use by consultants and vendors. You can subscribe to an interactive personalised online version (only COBIT 4.1 for now).
- Novelty. COBIT is of course not "new" any more than ITIL was when the world "discovered" it a decade ago. But COBIT has yet to be a fad, and the world is ready for a new fad as the realities of ITIL sink in. COBIT has none of the negative baggage accruing on ITIL. I think COBIT is IT's next silver bullet.
- Governance. COBIT will be embraced because the realisation is dawning that Cloud and SaaS and BYOD are business decisions not IT decisions, and that therefore it is high time the organisation as a whole stepped up to its responsibilities for IT instead of abdicating and blaming IT. Organisations have failed their IT like a bad parent, and the road to redemption is via better enterprise-level governance of IT, and that's what COBIT 5 is all about. ITIL V3 Service Strategy actually talks about governance quite a lot but nobody has read it. COBIT has the governance high ground.
Join ISACA to get COBIT
Yes the COBIT core is free... well close to it. ISACA want your email registration to get the main COBIT 5 overview but they don't want money.
They want your ISACA membership fee (about $150 membership - varies by region) to get the remaining books in digital format for free, but personally I think that is a good deal, especially allowing for all the other benefits of membership. I pay it. I buy the hardcopy versions too at the heavily discounted members' price, but I'm like that: I still prefer paper to bytes.
If you are not the joining kind, you can still buy the books, digital and hardcopy, but you will spend at least as much as the membership fee without all the other benefits of membership. I get more value from ISACA than I do from itSMF. If you are going to actually use COBIT, at a minimum you need COBIT 5 (the overview and framework) and COBIT 5: Enabling Process (the details of all the processes) and you could also get COBIT 5: Implementation (putting in place governance and management of IT). To buy all three will cost you
It is worth noting that what they give away for free in COBIT 5 is less than they gave away in COBIT 4.1. The free core in COBIT 4.1 is the equivalent of the COBIT 5: Enabling Process book and then some. Still, $250-odd buys you a lot of COBIT 5.
If all you want is overall awareness, then you don't even need to register let alone pay. You can download a few documents without registration that will give you the picture:
- Executive Summary (powerpoint)
- COBIT 5 Introduction (powerpoint)
- Framework Overview, the main diagrams describing COBIT 5's structure (pdf)
- Toolkit, a zipfile of articles, presentations and a spreadsheet.
ITIL has some advantages
Where does ITIL win over COBIT?
- ITIL is much more a source of ideas and options, information, and explanation on why we do things. There is much more meat on ITIL.
- ITIL has a much larger user base, higher brand recognition, and more momentum.
- ITIL has an extensive certification scheme. I think too extensive, but some appreciate it.
- I suppose I must count the ITIL software compliance schemes, either the British Government one or PinkVerify, though I think they are both pretty pointless, but once again they give some people comfort.
I don't count the prISM accreditation scheme as an advantage for ITIL. First I think it is crazy over-the-top. Second, ISACA provides accreditation specific to COBIT. Third, the IT community accredits the broader IT space that COBIT addresses (e.g. in New Zealand we have IT Certified Professional accreditation from the Computer Society, and in the UK they have similar CITP)
Everyone in IT should have COBIT
I would encourage everyone in IT to have a copy of COBIT 5 at hand. I use COBIT:
- to frame: a structure for framing any IT management thinking
- to assess or audit: a checklist for any form of review: process capability assessment, current state review, document audit, process audit...
- to define:
- descriptions of practices and their deliverables
- an input to role descriptions, especially the RACI responsibility matrices
- management and governance mechanisms
(fleshed out when necessary with other sources such as ITIL)
- to justify: an authorative reference for IT "best practice"