ISO 27001 and COBIT 2019 are both frameworks dealing with the way organisations manage and oversee their IT systems. The two frameworks operate in different ways, but the big difference between the two is that ISO 27001 relates mainly to security while COBIT 2019 is about IT overall.
ISO 27001 is a standard from the International Organization for Standardization. It deals with having an “information security management system” meaning it’s more about the wider processes and principles of managing IT security than the specific measures.
The key point of ISO 27001 is to introduce a systematic approach to maintaining security by creating an “information security management system” or ISMS. The idea is that the ISMS will make it standard practice across an organisation to control and mitigate IT security risks, rather than relying on a piecemeal approach.
Though the standard is detailed, it’s based around the relatively straightforward principles of:
- assessing risks;
- setting out ways to manage those risks;
- deciding what you need to achieve with security controls;
- implementing the appropriate security controls; and
- regularly reviewing the ISMS’s performance and revising it where needed.
Although ISO 27001 lists the 114 security controls that should be considered but the accompanying ISO 27002 serves as a code of practice which provides more detail for how organisations could implement the security controls.
ISO 27001 Structure
ISO 27001 is broken into 13 sections, covering both the background of the standard and the steps an organisation must take:
- Normative references (which note that ISO 27000, an overview document, is the only other standard that is essential to use alongside ISO 27001)
- Terms and definitions
- Context, namely the way an ISMS must be relevant to the organization’s nature and set-up
- Leadership, namely that ISMS needs buy-in from the top levels of management
- Performance evaluation
- Annex (a list of the sections in ISO 27002)
COBIT 2019 (Control Objectives for Information and Related Technologies) is a framework from ISACA, a professional association for the IT governance industry. Unlike ISO 27001, it covers the way an organisation organises and oversees all its IT operations, not just the security aspect.
The overall theme of COBIT is that organisations aligning their IT goals with their wider business goals. This can include having better access to information when making business decisions and using IT to achieve the company’s strategic aims.
The framework is detailed and wide-ranging, with some of the key areas being:
- making sure IT can be used in a reliable and efficient way;
- managing IT risks;
- avoiding wasted IT expenditure; and
- complying with relevant laws and contract terms.
COBIT 2019 Structure
COBIT 2019 is based around a core model of 40 management objectives in five categories.
Evaluate, Direct and Monitor
- EDM01—Ensured Governance Framework Setting and Maintenance
- EDM02—Ensured Benefits Delivery
- EDM03—Ensured Risk Optimization
- EDM04—Ensured Resource Optimization
- EDM05—Ensured Stakeholder Engagement
Align, Plan and Organise
- APO01—Managed I&T Management Framework
- APO02—Managed Strategy
- APO03—Managed Enterprise Architecture
- APO04—Managed Innovation
- APO05—Managed Portfolio
- APO06—Managed Budget and Costs
- APO07—Managed Human Resources
- APO08—Managed Relationships
- APO09—Managed Service Agreements
- APO10—Managed Vendors
- APO11—Managed Quality
- APO12—Managed Risk
- APO13—Managed Security
- APO014—Managed Data
Build, Acquire and Implement
- BAI01—Managed Programs
- BAI02—Managed Requirements Definition
- BAI03—Managed Solutions Identification and Build
- BAI04—Managed Availability and Capacity
- BAI05—Managed Organizational Change
- BAI06—Managed IT Changes
- BAI07—Managed IT Change Acceptance and Transitioning
- BAI08—Managed Knowledge
- BAI09—Managed Assets
- BAI10—Managed Configuration
- BAI11—Managed Projects
Deliver, Service and Support
- DSS01—Managed Operations
- DSS02—Managed Service Requests and Incidents
- DSS03—Managed Problems
- DSS04—Managed Continuity
- DSS05—Managed Security Services
- DSS06—Managed Business Process Controls
Monitor, Evaluate and Assess
- MEA01—Managed Performance and Conformance Monitoring
- MEA02—Managed System of Internal Control
- MEA03—Managed Compliance With External Requirements
- MEA04—Managed Assurance
COBIT 2019 Changes
COBIT 2019 is the latest edition of COBIT; previous editions were simply numbered with the most recent being COBIT 5. As well as being updated to reflect new technology, key changes in COBOT 2019 include:
- A switch to a more “open source” update model that means users can suggest changes to COBIT, which will now be updated more regularly rather than have entirely new editions.
- More flexibility so that COBIT can be applied to specific projects rather than the entire organisation.
- A bigger emphasis on COBIT training, with a selling point that the new update model means training won’t become obsolete when a new edition emerges.
ISACA will continue to support COBIT 5, for example by offering training and documentation.
How They Interact
Businesses shouldn’t normally need to choose between the two frameworks or find them contradictory. Both allow a lot of flexibility for the specifics of achieving the required goals rather than prescribing specific measures.
As well as having different scopes, the two frameworks will normally have their biggest effect on different layers of an organization’s hierarchy. ISO 27001 covers a narrower, more specific area that’s usually the realm of mid-level staff. COBIT covers a broader area that’s more likely to involve decisions by top-level staff.