Experts of information technology, previously had gone through a number of hassles in terms of data and information management within a corporate environment, when it comes to accessibility, shareability and contributions. You just need to follow their guidelines, respecting their findings. Those methodologies and frameworks are recognized and followed by a number of organizations.
- COBIT: Published by ISACA, COBIT is a comprehensive framework of “globally accepted practices, analytical tools and models” (PDF) designed for governance and management of enterprise IT. With its roots in IT auditing, ISACA expanded COBIT’s scope over the years to fully support IT governance. The latest version is COBIT 5, which is widely used by organizations focused on risk management and mitigation.
- ITIL: Information Technology Infrastructure Library or ITIL aims to to ensure that IT services and support activities are in line with the business requirements. Five sets of management best practices for service strategy, design, transition (such as change management), operation and continual service improvement are included in this.
- COSO: This model for evaluating internal controls is from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO’s focus is less IT-specific than the other frameworks, concentrating more on business aspects like enterprise risk management (ERM) and fraud deterrence.
- CMMI: The Capability Maturity Model Integration method, developed by the Software Engineering Institute, is an approach to performance improvement. CMMI uses a scale of 1 to 5 to gauge an organization’s performance, quality and profitability maturity level. According to Calatayud, “allowing for mixed mode and objective measurements to be inserted is critical in measuring risks that are qualitative in nature.”
- FAIR: Factor Analysis of Information Risk (FAIR) is a relatively new model that helps organizations quantify risk. The focus is on cyber security and operational risk, with the goal of making more well-informed decisions. Although it’s newer than other frameworks mentioned here, Calatayud points out that it’s already gained a lot of traction with Fortune 500 companies.
Choose which framework to use?
Most IT governance frameworks are designed to help you determine how your IT department is functioning overall, what key metrics management needs and what return IT is giving back to the business from its investments.
Where COBIT and COSO are used mainly for risk, ITIL helps to streamline service and operations. Although CMMI was originally intended for software engineering, it now involves processes in hardware development, service delivery and purchasing. As previously mentioned, FAIR is squarely for assessing operational and cyber security risks.
When reviewing frameworks, consider your corporate culture. Does a particular framework or model seem like a natural fit for your organization? Does it resonate with your stakeholders? That framework is probably the best choice.
But you don’t have to choose only one framework. For example, COBIT and ITIL complement one another in that COBIT often explains why something is done or needed where ITIL provides the “how.” Some organizations have used COBIT and COSO, along with the ISO 27001 standard (for managing information security).