ISO 27001 and COBIT 2019 are both frameworks dealing with the way organisations manage and oversee their IT systems. The two frameworks operate in different ways, but the big difference between the two is that ISO 27001 relates mainly to security while COBIT 2019 is about IT overall.
ISO 27001 is a standard from the International Organization for Standardization. It deals with having an “information security management system” meaning it’s more about the wider processes and principles of managing IT security than the specific measures.
The key point of ISO 27001 is to introduce a systematic approach to maintaining security by creating an “information security management system” or ISMS. The idea is that the ISMS will make it standard practice across an organisation to control and mitigate IT security risks, rather than relying on a piecemeal approach.
Though the standard is detailed, it’s based around the relatively straightforward principles of:
Although ISO 27001 lists the 114 security controls that should be considered but the accompanying ISO 27002 serves as a code of practice which provides more detail for how organisations could implement the security controls.
ISO 27001 is broken into 13 sections, covering both the background of the standard and the steps an organisation must take:
COBIT 2019 (Control Objectives for Information and Related Technologies) is a framework from ISACA, a professional association for the IT governance industry. Unlike ISO 27001, it covers the way an organisation organises and oversees all its IT operations, not just the security aspect.
The overall theme of COBIT is that organisations aligning their IT goals with their wider business goals. This can include having better access to information when making business decisions and using IT to achieve the company’s strategic aims.
The framework is detailed and wide-ranging, with some of the key areas being:
COBIT 2019 is based around a core model of 40 management objectives in five categories.
Evaluate, Direct and Monitor
Align, Plan and Organise
Build, Acquire and Implement
Deliver, Service and Support
Monitor, Evaluate and Assess
COBIT 2019 is the latest edition of COBIT; previous editions were simply numbered with the most recent being COBIT 5. As well as being updated to reflect new technology, key changes in COBOT 2019 include:
ISACA will continue to support COBIT 5, for example by offering training and documentation.
Businesses shouldn’t normally need to choose between the two frameworks or find them contradictory. Both allow a lot of flexibility for the specifics of achieving the required goals rather than prescribing specific measures.
As well as having different scopes, the two frameworks will normally have their biggest effect on different layers of an organization’s hierarchy. ISO 27001 covers a narrower, more specific area that’s usually the realm of mid-level staff. COBIT covers a broader area that’s more likely to involve decisions by top-level staff.