Currently, the ISACA is finalizing a special version of COBIT called "QuickStart" for small and medium-sized businesses. It will contain a subset of the COBIT standard and focus on elements that are viewed as most critical for organizations that lack the resources to pursue the full standard.

The standard has the following high-level groupings: security policy, organizational security, asset classification and control, personnel security, physical and environmental security, communications and operations management, access control, systems development and maintenance, business continuity management and compliance. The standard is very well-done and covers a great deal of material in a concise manner.

The "library" currently consists of seven books: service support, service delivery, security management, application management, ICT infrastructure management, the business perspective and planning to implement service management. ITIL is very much aimed at identifying best practices in regards to managing IT service levels and a number of organizations, including the U.S. Navy and Procter and Gamble, have adopted ITIL and enjoyed substantial benefits.

The Benefits of Standards

There are a number of compelling reasons to adopt a defined standard:

1. The Wheel Exists -- In today's world time is a precious commodity. Why spend all of the time and effort to develop a framework based on limited experience when internationally developed standards already exist?

2. Structured -- The framework of the models provides an excellent structure that organizations can follow. Furthermore, the structure helps everyone be on the same page because they can see what is expected.

3. Best Practices -- The standards have been developed over time and assessed by hundreds of people and organizations all over the world. The cumulative years of experience reflected in the models can not be matched by a single organization's efforts.

4. Knowledge Sharing -- By following standards, people can share ideas between organizations, profit from user groups, Web sites, magazines, books and so on. Proponents of company-specific ad hoc approaches do not have this luxury.

5. Auditable -- Without standards, it becomes far more difficult for auditors, especially third-party auditors, to effectively assess control. By this, I mean that the auditors themselves should be following standards, as opposed to ad hoc auditing practices. The goal must be to at least certify the organization against at least one base standard and then make recommendations over and above the standard(s), where appropriate.

Which standard is best?

Interestingly, there isn't a great deal of overlap between the three. COBIT is strong in IT controls and metrics. ISO 17799 covers IT security quite well and ITIL emphasizes processes, notably those surrounding the IT helpdesk.

Rather than select one, organizations would be wise to get an overview of the three and then plan an approach that blends the best practices of each along with the needs of the organization.

For example, customers or a regulatory body may be pressuring an organization to adopt ISO 17799 and, as a result, that should then be at least the initial focus. However, rather than stop with ISO 17799, the same organization should extend its vision to include other standards as well.

Adopt and Adapt

Getting started is the hard part! This is a recurring theme in many articles written about IT governance. The question really is not "do we or don't we implement?", but really one of "how do we implement?" At this point there are a substantial number of resources available to help organizations research and implement. Take the area that is of greatest concern to you and/or your stakeholders and start with an incremental approach. All of the standards are huge undertakings and you are far better off to phase in various elements over time than to try and implement everything at once.

Summary

COBIT, ISO 17799 and ITIL all serve as excellent frameworks by which to improve IT governance. The key is to research the standards, review your needs and then move forward with the standard that is the best initial fit. In the end, all three provide best practices for IT organizations to review and eclectically adopt. Firms, moving ahead with the adoption of a standard will be well served to utilized a phased implementation project approach and start with elements of the standard that will yield their organization the most benefits.