ITIL® 4 and COBIT®

Vishal Vyas

White Paper
May 2019
Contents
1
Introduction 03

2 Putting it in perspective: IT governance and IT management 03

3 ITIL 4 and COBIT 2019: focusing on similar problems from different directions 03

4
ITIL 4 05

5
COBIT 2019 06

6 ITIL 4 and COBIT 2019: similarities in framework architecture 08

7 Synergy in components of the governance system and dimensions of service 09

management

8 Synergies between ITIL service value chain and COBIT goals cascade 10

9 Synergies between ITIL service value chain activities and COBIT domains 10

10 Synergies in ITIL practices and governance management objectives 11

11 ITIL 4 and COBIT 2019: how they are different 13

12
Conclusion 13

13
About the author 14

02 TIL® 4 and COBIT® AXELOS.COM

1 Introduction
In many areas of work there can be a conflict between doing the right thing or doing things right. In an IT environment,
doing the right thing can be summarized in what the IT team decides to focus on to achieve the business aims. This is IT
governance. When this has been decided, the IT team will focus on doing things right. In practical terms, this translates to
how the IT team will carry out this task. This is IT service management.

2 Putting it in perspective: IT governance and IT management

There is a certain amount of confusion regarding the term IT governance. Some IT professionals mistakenly believe that
IT governance is related to adhering to rules and regulations, as well as general bureaucratic tasks, that can act as. an
impediment to normal operations. This view of IT governance is unfair and inaccurate. The truth is that IT governance works
together with IT management. IT governance ensures that IT activities and processes are aligned with the overall objective,
such as enterprise priorities. IT Management is the methods used by IT teams to meet these objectives. IT governance
aims to achieve balance between IT performance and IT conformance. IT performance ensures that IT continually delivers
value and meets consumers expectations in terms of cost, functionality and so on. IT conformance ensures that all of the
rules and regulations are adhered to and that all risks are appropriately managed. IT performance and IT conformance can
conflict with one another. For example, an excessive focus on IT conformance would be where the IT security department
enforces a stringent password policy, where all passwords must be 32 characters long, include numbers, and changed daily.
This would result in difficulties for the user. On the other hand, IT performance would enforce a lax password policy where
passwords never expire, require four characters, and only include numbers would compromise IT security. IT governance
would create systems to evaluate the various options available and then select the appropriate option. Thus, IT governance is
the balance between IT performance and IT conformance.

3 ITIL® 4 and COBIT® 2019: focusing on similar problems from

different directions
IT today is a much complex and continuously evolving entity than what it was just 20 years ago. Initially, the enormous
efficiency improvements brought by IT to business processes was the key driver for the increasing use of IT in many areas.
The increase in the number and quality of technology led to the use of IT in more complex and critical business processes.
After a short amount of time, the industry was facing increasingly complex IT, which had become ubiquitous in industry
segments, business domains, and processes.

This complexity had been created due to the volume of material and the interdependencies of technologies on one another.
Furthermore, there was an overabundance of stakeholders working simultaneously on the various aspects of IT design,
creation, delivery, and consumption. There have been clear attempts by IT stakeholders to manage this complexity. ITIL
is an example of this. Business stakeholders have also attempted to utilize IT to suit business objectives. This has been
attempted through governance and control frameworks such as COBIT.

The focus of ITIL has steadily evolved over the years. Currently, its objective is to deliver value to the customer in the form of
services. The key objective is to understand parameters and needs involved in a good service delivery. This is viewed from
the service provider’s perspective, looking at the client or business.

The focus of COBIT has also evolved. Its key objective is to ensure services are delivering stakeholder value from a business
perspective, looking at a service delivery engine.

Essentially, COBIT and ITIL are two different methods at achieving the same objective. At a certain point these two
frameworks will complement other.

AXELOS.COM TIL® 4 and COBIT® 03

 Governance is normally considered the study of ‘what’ an organization needs to achieve, whereas management
is usually about ‘how’ to achieve it. In other words, COBIT is the governance framework and ITIL is the execution
framework.

Figure 3.1 COBIT and ITIL interaction

4 ITIL 4
ITIL 4 acknowledges that there are various methods of managing and implementing IT. Hence, it does not prescribe definite
processes and architectures, as this may be counterproductive to the specific service delivery environment. Instead, ITIL 4
builds upon the immense pool of existing knowledge of IT service management practices present in various organizations. At
the same time making it flexible enough for organizations to use when and how they need it.

ITIL 4 advocates that any service delivery and value creation effort should consider the four dimensions of service
management as:

zz organizations and people

zz information and technology
zz partners and suppliers
zz value streams and processes.

ITIL service value system consists of:

zz Guiding principles: recommendations that can guide an organization in all circumstances, regardless of changes in its goals,
strategies, type of work, or management structure.
zz Governance: the means by which an organization is directed and controlled.
zz Service value chain: a set of interconnected activities that an organization performs to deliver a valuable product or service to
its consumers and to facilitate value realization.
zz Practices: sets of organizational resources designed for performing work or accomplishing an objective.
zz Continual improvement: a recurring organizational activity performed at all levels to ensure that an organization’s
performance continually meets stakeholders’ expectations.

04 ITIL® 4 and COBIT® AXELOS.COM

Figure 4.1 Service value system
The service value chain consists of six activities:

zz plan
zz improve
zz engage
zz design and transition
zz obtain/build
zz deliver and support.

5 COBIT 2019
COBIT has been one of the most popular options for anyone attempting to establish governance over IT service creation
and delivery. COBIT also established creation through IT-enabled investments. There have been other attempts such as
ISO 38500, OECD® principles, and the Cadbury report. However, these have not be as popular as COBIT, nor have they
developed the large repository of knowledge as COBIT has.

COBIT 2019 has been updated with new guidance, facilitating an easier and more intuitive implementation. This will
strengthen COBIT’s continuing role as an important driver of innovation and business transformation.

COBIT 2019 prescribes the six governance system principles as:

zz provide stakeholder value

zz holistic approach
zz dynamic governance system
zz governance distinct from management
zz tailored to enterprise needs
zz end-to-end governance system.

COBIT 2019 product architecture consists of major components.

AXELOS.COM ITIL® 4 and COBIT® 05

For information and technology to contribute to enterprise goals, several governance and management objectives should be
achieved. These 40 governance and management objectives are grouped into five domains:

zz EDM: evaluate, direct, and monitor

zz APO: align, plan, and organize
zz BAI: build, acquire, and implement
zz DSS: deliver, service, and support
zz MEA: monitor, evaluate, and assess.

To satisfy governance objectives, each enterprise needs to establish and sustain a system built from some of the below
components:

zz processes
zz organizational structures
zz principles, policies, and frameworks
zz information
zz culture, ethics, and behaviour
zz people, skills, and competencies
zz services, infrastructure, and applications

A focus area describes a certain governance topic, domain or issue that can be addressed by a collection of governance
objectives and their components. For example:

zz small and medium enterprises

zz information security
zz risk
zz DevOps

Organizations will need to adapt the following design factors to meet their requirements:

zz enterprise strategy
zz enterprise goals
zz risk profile
zz I and T related Issues
zz threat landscape
zz compliance requirements
zz role of IT
zz sourcing model for IT
zz IT implementation methods
zz technology adoption strategy
zz enterprise size

06 ITIL® 4 and COBIT® AXELOS.COM

6 ITIL 4 and COBIT 2019: similarities in framework architecture
6.1 GOVERNANCE IN COBIT 2019 AND ITIL SVS
ITIL 4 service value system is an example of how various components in a service providers organization can come together
to create value. One of the important components of ITIL SVS is governance. The principles of governance as discussed
in COBIT are similar to some of the concepts discussed in ITIL 4. Evaluate, direct and monitor are the basic governance
components accepted by both ITIL 4 and COBIT 2019.

6.2 GUIDING PRINCIPLES

Figure 6.1 Guiding principles

The 7 guiding principles of ITIL 4 should be considered in all areas of an organization. Some of the guiding principles in ITIL
4 have a close relationship with the governance system principles described in COBIT 2019 such as:

Focus on value: the ITIL 4 guiding principle of focus on value is compatible with the COBIT 2019 governance principle of
delivering stakeholder value. Both principles focus on value creation for the relevant stakeholders.

Think and work holistically: the ITIL 4 guiding principle of think and work holistically is compatible with the COBIT 2019
governance principle of end-to-end governance system. Both principles state that value cannot be delivered by working in
isolation but can only be created by focusing on all of the components that the enterprise puts in place to achieve its goals.

Progress iteratively with feedback: ITIL 4 guiding principle of progress iteratively with feedback has some similarity with
the COBIT 2019 governance principle of dynamic governance system. Both principles acknowledge that the management
framework will be revised during its lifetime in response to a changing business environment.

AXELOS.COM ITIL® 4 and COBIT® 07

7 Synergy in components of the governance system and dimensions
of service management
ITIL 4 reinforces the principle that value cannot be created by independently implementing either processes or technology.
The value creation must be brought about holistically to include the four dimensions of service management. These
dimensions complement some of the components of the COBIT 2019 components of the governance system. Interestingly
COBIT does identify partners/suppliers as one of the components of a governance system.

Figure 7.1 Interaction between governance system and service management

Organizations and people: this dimension is closely associated with the COBIT 2019 component of organization structures,
people skills, and competencies.

Information and technology: this dimension is closely related with the COBIT 2019 component of information, service
infrastructure, and applications.

Value streams and processes: this dimension is closely related with the COBIT 2019 component of processes, principle
policies, and procedures.

08 ITIL® 4 and COBIT® AXELOS.COM

8 Synergies between ITIL service value chain and COBIT goals
cascade
To create value, six activities of the ITIL service value chain draw upon other organizational components. These activities are
non-linear, and do not have a definite sequence or definite start and end points. The value creation journey will be different
for every value creation instance. A similar concept can be observed in COBIT 2019 governance and management objective.

The localization and customization of service value chain is a key point emphasized in ITIL 4. The requirements that need to
be met must be determined before embarking on a service value chain for value creation. This will determine the sequence
of activities.

A similar process ensures the localization and customization of application of COBIT through a goal cascade methodology.
The organization must understand what the enterprise goals and priorities are, before embarking on the application of
governance controls and processes. There are 13 such enterprise goals identified in COBIT 2019. Once selected it can be
mapped on to the alignment goals; which there are 13 of, that IT is expected to achieve, to contribute to value creation.
These alignment goals; which there are 40 of, can then be used to decide which governance objectives need to be worked
on to improve the governance systems within the organization.

The similarities between the two frameworks can be observed at a very high level. Both frameworks consider business
objectives and focus on value creation as a starting point. Yet, they are both trying to achieve a different purpose.

9 Synergies between ITIL service value chain activities and COBIT

domains
ITIL 4 service value chain activities will use a different combination of ITIL practices to create value. This is fairly similar to
the governance and management objective in the five domains in COBIT.

COBIT align, plan, and organize and ITIL service value chain plan activity: these two frameworks complement each other
as the grouped processes/practices focus on all of the planning activities within an organization, such as projects, services,
enterprise architecture, and so on.

COBIT build, acquire, and implement (BAI) and ITIL service value chain design/transition build/obtain activity: COBIT
domain BAI complements ITIL SVC activities of design/transition in areas such as requirement definition, availability,
capacity, and so on.

COBIT domain BAI also complements ITIL SVC activities of build/acquire in areas such as managed IT assets, configuration,
solution acceptance, and so on.

COBIT deliver service support (DSS) and ITIL service value chain deliver and support activity: these two are perhaps the
most complementary activities in COBIT and ITIL 4. Both focus on areas such as service requests, problems, incidents, and
so on.

AXELOS.COM ITIL® 4 and COBIT® 09

10 Synergies in ITIL practices and governance management
objectives
Both ITIL 4 and COBIT are frameworks that have similar objectives yet attain them through different perspectives. One
to one mapping of processes is neither possible nor advisable. However, there are certain similarities that can be used to
complement one another.

COBIT has taken an open approach in articulating the scope of its influence. When necessary, it also does not shy away
from guiding users to other appropriate frameworks, standards, and processes. COBIT 4.1 and COBIT 5 have a related
guidance outline. COBIT2019 takes a step further in this direction. In the description of governance and management
objectives, each objective points to a ‘related guidance’ and ‘detailed reference’. Hence, it has become easier for
practitioners to combine the governance directions from COBIT, with the activities in ITIL, to create a comprehensive
solution. Nonetheless, in the current version of COBIT 2019 each objective is mapped to ITIL v3 processes.

The below table is a high-level overview of how COBIT 2019 governance and management objectives are mapped to ITIL 4
practices. It should be noted that this is a very high-level chart showing similarities and should not be considered as an exact
cross-reference of all of the content/activities within both of the frameworks. Its intention is to show how the implementation
of ITIL practices in an organization will support governance implementation efforts.

10 ITIL® 4 and COBIT® AXELOS.COM

Table 10.1 COBIT 2019 objectives compared to ITIL 4 practices

COBIT 2019 governance and management objective ITIL 4 practices

EDM03 Ensured risk optimization Risk management
APO02 Managed strategy Strategy management
APO03 Managed enterprise architecture Architecture management
APO05 Managed portfolio Portfolio management
APO06 Managed budget and costs Service financial management
APO07 Managed human resources Workforce and talent management
APO08 Managed relationships Relationship management
APO09 Managed service agreements Service level management
APO10 Managed vendors Supplier management
APO12 Managed risk Information security management
(partial), Risk management
BAI02 Managed requirements definition Business analysis, software
development, and management
BAI03 Managed solutions identification and Service design
build
BAI04 Managed availability and capacity Availability management, capacity, and
performance management
BAI05 Managed organizational change Organizational change management
BAI06 Managed IT changes Change control
BAI07 Managed IT change, acceptance, and Release management, deployment
transitioning management
BAI08 Managed knowledge Knowledge management
BAI09 Managed assets IT asset management
BAI10 Managed configuration Service configuration management
BAI11 Managed projects Project management
DSS01 Managed operations Infrastructure and platform
management (partial)
DSS02 Managed service requests and Incident management, service desk,
incidents service request management
DSS03 Managed problems Problem management
DSS04 Managed continuity Service continuity management
DSS05 Managed security services Information security management,

MEA01 Managed performance and Continual improvement, measurement

conformance monitoring and reporting

MEA02 Managed system of internal control Information security management,

(partial)

Measurement and reporting (partial)

AXELOS.COM ITIL® 4 and COBIT® 11

11 ITIL 4 and COBIT 2019: how they are different
COBIT 2019 focuses on the overall enterprise when creating and managing the governance system. On the other hand, ITIL
4 focuses on even the smallest opportunities of value creation between service providers and service consumers. Thus,
COBIT 2019 is concerned with the system, whereas ITIL 4 is concerned with every process within the system regardless of
its size.

ITIL 4 has continuously developed by applying an active and modular approach towards IT service management.
Consequently, ITIL 4 can be used by any organization to manage and improve its IT services at all levels and at any size.

COBIT 2019 is equally comprehensive in its coverage of IT governance. However, unlike ITIL 4 it would be difficult to scale
down COBIT 2019 for use in a smaller organization. Yet, ITIL 4 and COBIT 2019 have been created for different purposes,
so it would be unrealistic to expect them to apply to the same situation.

12 Conclusion

Organizations need to take a comprehensive view of IT services and govern them with the assistance of a robust governance
framework. Moreover, the framework will need strong support from the top of the organization to achieve its aims.
I once worked on an interesting project in a large government organization using multiple frameworks. ITIL for Service
Delivery, CMMI for Application development, PMBoK for Project Management, TOGAF for enterprise architecture, and
so on. Each department was satisfied with their own management framework. However, senior management was
finding it difficult to create an enterprise wide performance picture for enabling strategic decisions. We successfully
used COBIT as an integrator framework to correlate and map the other frameworks and project the enterprise level
performance dashboard without disturbing the other frameworks already in use.

Further details can be found at http://www.isaca.org/COBIT/focus/Pages/dubai-customs-cobit-5-implementation.
aspx [Accessed on 23 May 2019]
It is evident that COBIT 2019 can work in harmony with ITIL 4 in any complex IT environment. Particularly, the
implementation of a COBIT governance system will be greatly supported by the existence of ITIL 4 practices in that IT
environment

Whereas COBIT 2019 focuses on governance of enterprise IT, ITIL 4 focuses on management and execution of IT in the
enterprise for value creation. Enterprises should use COBIT 2019 for deciding the ‘what’ part of the IT service value equation
and should depend on ITIL 4 for seeking answers to the ‘how,’ ‘when,’ and ‘where’ questions.

Both frameworks can be applied in a specific environment to work together. The presence of one in a certain environment
will benefit the implementation of the other.

12 ITIL® 4 and COBIT® AXELOS.COM

References

AXELOS (2019). ITIL® Foundation, ITIL 4 edition. London: The Stationary Office

ISACA (2018). COBIT® 2019 Design Guide. Schaumburg: ISACA

ISACA (2019). COBIT® 2019 Framework: Introduction and Methodology. Schaumburg: ISACA

ISACA (2018). COBIT® 2019 Implementation Guide. Schaumburg: ISACA

Vyas, V, GEIT. Al Ghaith, J. Al Yaqoobi, A, PMP. Hasan, SJ. (18 January 2016) Dubai Customs COBIT 5 Implementation.
COBIT Focus, [online]. Available at: http://www.isaca.org/COBIT/focus/Pages/dubai-customs-cobit-5-implementation.aspx
[Accessed 20 May. 2019]

13 About the author

Vishal is Chief Solutions Officer at Knowlathon, heading global consulting and coaching
practice on IT Governance and IT Service management. He has delivered sessions and
projects in over 24 countries over 15 years. He is passionate about coaching teams
and organizations on ITSM, IT governance, and risk management to co-create unique
solutions for complex and challenging environments. Vishal is especially adept at
mentoring consultants and instructors to deliver high impact sessions and consulting
assignments. He also actively participates in industry forums to create knowledge
resources for advancement of public knowledge and understanding of best practice
frameworks.

AXELOS.COM ITIL® 4 and COBIT® 13

14 About AXELOS
AXELOS is a joint venture company co-owned by the UK Government’s Cabinet Office and Capita plc.

It is responsible for developing, enhancing and promoting a number of best practice methodologies used
globally by professionals working primarily in project, programme and portfolio management, IT service
management and cyber resilience.

The methodologies, including ITIL®, PRINCE2®, PRINCE2 Agile®, MSP®, RESILIA® and its newest
addition AgileSHIFT® are adopted in more than 150 countries to improve employees’ skills, knowledge and
competence in order to make both individuals and organizations work more effectively. 

In addition to globally recognized qualifications, AXELOS equips professionals with a wide range of content,
templates and toolkits through the CPD aligned My AXELOS and our online community of practitioners and
experts.

Visit www.AXELOS.com for the latest news about how AXELOS is ‘Making organizations
more effective’ and registration details to join AXELOS’ online community. If you have specific queries,
requests or would like to be added to the AXELOS mailing list please contact
Ask@AXELOS.com.

15 Trade marks and statements

AXELOS®, the AXELOS swirl logo®, ITIL®, PRINCE2®, PRINCE2 Agile®, MSP®, M_o_R®, P3M3®, P3O®,
MoP®, MoV®, RESILIA® are registered trade marks of AXELOS Limited. AgileSHIFT® is a trade mark of
AXELOS Limited. All rights reserved.

Copyright © AXELOS Limited 2019.

COBIT® is a registered trademark of ISACA

Image credits: ©Getty/Fuse,

Figure 4.1 AXELOS (2019). London: The Stationary Office.

Figures 3.1, 6.1, and 7.1 were created by the author

Reuse of any content in this White Paper is permitted solely in accordance with the permission terms at
https://www.axelos.com/policies/legal/permitted-use-of-white-papers-and-case-studies

A copy of these terms can be provided on application to AXELOS at Licensing@AXELOS.com

Our White Paper series should not be taken as constituting advice of any sort and no liability is accepted for
any loss resulting from or use of or reliance on its content. While every effort is made to ensure the accuracy
and reliability of information, AXELOS cannot accept responsibility for errors, omissions or inaccuracies.
Content, diagrams, logos and jackets are correct at time of going to press but may be subject to change
without notice.

Sourced and published on www.AXELOS.com

AXELOS.COM TIL® 4 and COBIT® 14