Neha Yadav Update 2022-04-26.
We often come across discussions related to comparisons of different governance standards and frameworks, such as ISO 27001 and COBIT. ISO 27001 focuses on information security controls, while on the other hand, COBIT, which is a governance framework, also includes some ISO 27001-related topics such as security, risks, managing changes, etc. in its domains. This article explains the definition and similarities and differences between ISO 27001 and COBIT.
COBIT (Control Objectives for Information and Related Technologies) is an IT management and governance framework managed by ISACA (Information Systems Audit and Control Association).
ISO 27001 is the ISO standard that describes how to manage information security in an organization.
What is COBIT?
COBIT (Control Objectives for Information and Related Technologies) is an IT management and governance framework managed by ISACA (Information Systems Audit and Control Association). It provides implementable controls over information technology, organized into IT-related processes, which support the fulfillment of these business requirements:
- effective use of information, considering relevance, time, and delivery conditions
- efficient allocation of resources
- confidentiality, to protect information against unauthorized access and disclosure
- integrity of information content
- availability when demanded by business processes
- compliance with legal requirements
- reliability of information used to make decisions
The current version of the COBIT processes framework was published in 2019. Similar to the previous version, COBIT 2019 is divided into five domains:
- evaluate and direct: effective governance of IT involves the identification, evaluation, prioritization, and direction of organizational goals
- plan and organize: the use of IT to help the organization to achieve its objectives
- acquire and implement: the acquisition of IT solutions, their integration with business processes, and the maintenance required to ensure these solutions keep fulfilling business needs
- deliver and support: focus on applications’ execution and their results in an effective and efficient way; it also covers security and training needs
- monitor and evaluate: provides assurance that IT solutions are achieving their goals and are compliant with legal issues
For each process, COBIT defines inputs, outputs, key activities, objectives, and performance measures. Although COBIT has more detail in terms of processes, it still lacks technical details to support implementation.
And, what about ISO 27001?
ISO 27001 is the ISO standard that describes how to manage information security in an organization. It consists of 11 clauses in the main part of the standard, and 114 security controls grouped into 14 sections in Annex A. ISO 27001:2013 clauses from the main part of the standard are:
- 4 – Context of the organization
- 5 – Leadership
- 6 – Planning
- 7 – Support
- 8 – Operation
- 9 – Performance evaluation
- 10 – Continual improvement
ISO 27001:2013 Annex A covers controls related to organizational structure (physical and logical), human resources, information technology, supplier management, etc.
For detailed information, read: A first look at the new ISO 27001 and An overview of ISO 27001:2013 Annex A.
One of the limitations of ISO 27001 is that it does not provide detail on what to do to fulfill requirements or implement controls, only about what you need to achieve. For detailing, you can use ISO 27002 as guidance. For more information, read: ISO 27001 vs. ISO 27002.
Certification
An individual can get certified for ISO 27001 by attending the course and passing an exam, for example, as a Lead Implementer or Lead Auditor.
However, ISO 27001 is primarily intended for the certification of companies – to learn more, read the article ISO 27001 certification for persons vs. organizations.
On the other hand, COBIT certification is possible only for individuals, while an organization cannot be certified against COBIT.
Key difference between COBIT and ISO 27001
The key difference between ISO 27001 and COBIT is that the first one is solely for the purpose of information security, and the second one is for management and governance of information technology business processes.
We can consider COBIT to be an umbrella or superset that focuses on management of information technology (IT) and governance. COBIT not only talks about security in an organization, but also includes the way an organization actually organizes, arranges, and oversees the organization of IT operations. It includes all information technology controls, measures, and processes. It helps an organization to map its own business goals to its IT goals. Also, it supplies measurements and provides maturity models to measure an organization’s achievement. Additionally, it helps to identify the organization’s key business responsibilities and the IT process owners.
ISO 27001, on the other hand, is an international standard for Information Security Management Systems. It focuses on performing a risk assessment and then applying specific security controls for protecting the organization’s critical information assets.
Benefits
The main benefit of implementing ISO 27001 is a systemic Information Security Management System that helps with the identification of critical information, the information security risk assessment of the system, and the implementation of security controls, all of which help to create a secure culture in the organization.
ISO 27001 is beneficial for the organization in terms of its security while, on the other hand, COBIT helps an organization to have a systematic approach and in meeting the organization’s performance goals. Some other benefits of COBIT include addressing all organizational needs, like the needs of stakeholders, and the utilization of innovation and technology.
For more about the benefits of ISO 27001, read the article Four key benefits of ISO 27001 implementation.
How ISO 27001 and COBIT are related
ISO 27001 consists of 11 main clauses (out of which 7 are mandatory), and 114 controls in the Annex A (which are selected based on the results of risk management). COBIT 2019 is based around a core model of 40 management objectives in five categories. This is how ISO 27001 and COBIT are related:
Which one to choose?
As explained in this article, ISO 27001 is an international standard focusing only on security, while COBIT has a wider scope, focusing on information technology governance, though security is also part of the framework.
Hence, if your target is to protect the information assets of your organization by implementation of appropriate and relevant security controls, then go for implementation of ISO 27001. However, if you are looking for an information technology governance and management model for the business process owners and managers to improve business process management, while enhancing the value delivered from your IT business and managing IT risks, then go for the COBIT framework.
To learn how to comply with ISO 27001, while also implementing privacy and cybersecurity controls, sign up for a 14-day free trial of Conformio, the leading ISO 27001 compliance software.
