Difference between COBIT and ITIL

COBIT (Control Objectives for Information and Related Technology) and ITIL (Information Technology Infrastructure Library) have been used by information technology professionals in the IT service management (ITSM) space for many years. Used together, COBIT and ITIL provide guidance for the governance and management of IT-related services by enterprises, whether those services are provided in-house or obtained from third parties such as service providers or business partners.

ITIL could be seen as the way to manage the IT services across their lifecycle, while COBIT is about how to govern the Enterprise IT in order to generate the maximum creation of value by the business, enabled by IT investments, while optimizing the risks and the resources. COBIT 5 describes the principles and enablers that support an enterprise in meeting stakeholder needs, specifically those related to the use of IT assets and resources across the whole enterprise. ITIL describes in more detail those parts of enterprise IT that are the service management enablers (process activities, organizational structures, etc.).

Generally speaking, COBIT is broader than ITIL in its scope of coverage.

Purpose: ITIL is an ITSM framework. COBIT is an IT practice (and now governance) framework. ITSM has grown to mean “all of IT management seen from a service perspective” but that service slant or bias remains. COBIT is intended to be a comprehensive description of all IT practices. It may not do that perfectly but it comes much closer than ITIL because it doesn’t constrain itself to ITSM.

Coverage: ITIL covers less than half of COBIT’s range and only completely covers about a quarter of the practices (8 of the 34 COBIT processes) and that’s COBIT 4.1 whereas COBIT 5 opens the gap even further.

Rigour: ITIL’s narrative style (no really, compared to other frameworks it is downright chatty) may appeal, but as a foundation for my consulting activities the rigour and structure of COBIT is more dependable and useful. COBIT is systematically numbered; and every entity has a consistent structure. I actually find the formal COBIT structure much easier to use than the ITIL rambling: I find answers quicker, I get clearer concepts with less confusion, and I frame things readily.

Benchmark: You can assess against COBIT; it has clearly defined requirements. That was one of COBIT’s early drivers for adoption: auditing IT for SOx compliance. COBIT auditors/assessors are certified (CISA). To assess against ITIL you need to go to proprietary benchmarks (including TIPA, not to be confused with my Tipu). ISO20000 compliance is not the same thing as ITIL “compliance”.

Credibility: COBIT is written by a team, not a couple of authors per book. The same team for all the books. And then the list of all COBIT contributors and reviewers runs to pages. It is owned and published by a not-for-profit membership body set up and run by auditors, process geeks and security wonks.

Accessibility: COBIT is low cost compared to ITIL. There is a copyright and trademark waiver for use by consultants and vendors. You can subscribe to an interactive personalized online version (only COBIT 4.1 for now).

Novelty: COBIT is of course not “new” any more than ITIL was when the world “discovered” it a decade ago. But COBIT has yet to be a fad, and the world is ready for a new fad as the realities of ITIL sink in. COBIT has none of the negative baggage accruing on ITIL. I think COBIT is its next silver bullet.

Governance: COBIT will be embraced because the realization is dawning that Cloud and SaaS and BYOD are business decisions not IT decisions, and that therefore it is high time the organization as a whole stepped up to its responsibilities for IT instead of abdicating and blaming IT. Organizations have failed their IT like a bad parent, and the road to redemption is via better enterprise-level governance of IT, and that’s what COBIT 5 is all about. ITIL V3 Service Strategy actually talks about governance quite a lot but nobody has read it. COBIT has the governance high ground.