Copyright © 2004 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.

COBIT in Relation to Other

International Standards
By Jimmy Heschl

COBIT Mapping: Overview of International IT Guidance

T
he US Sarbanes-Oxley Act and similar legislation
worldwide calls for increased corporate governance and was published in January 2004 and is available as a free
includes huge requirements for IT, which can be defined download from the ISACA web site,
by the term IT governance. Board members, IT professionals www.isaca.org/cobitmapping. It discusses the following
and IT auditors need guidance to implement IT governance to important international standards and guidance for IT control
maintain a level of control throughout the process. and IT security in relationship to COBIT:
The IT Governance Institute (ITGI) Research Board and the • COSO
Control Objectives for Information and related Technology • ITIL
(COBIT) Steering Committee recognized that for IT topics, • ISO/IEC17799:2000
several other standards exist in addition to COBIT. As the clear • ISO/IEC13335
target of ITGI and as shown in the recent publications from • ISO/IEC15408
Gartner Group, COBIT is the best available framework for • TickIT
control and governance for IT. For members of Information • NIST 800-14
Systens Audit and Control Association, as well as companies The result is a road map of guidance supporting IT
and organizations interested in implementing IT control and IT governance implementation. For each of the international
governance, the question arises whether and how COBIT and standards/guidance examined, the document provides a
other standards classification, a short overview of the contents and the business
can be integrated. The mapping of COBIT with several other driver for implementing the guidance, and the risks of
standards was increasingly being requested by the public. noncompliance.
ISACA and the ITGI responded with COBIT Mapping: A scheme of different dimensions that allows the
Overview of International IT Guidance. comparison of the standards was defined, and the following
The publication’s audience includes a broad spectrum of sections of this article contain an abstract of the results.
stakeholders, including ISACA members; other security,
control and audit professionals, managers, CIOs and CFOs; Document Taxonomy
corporate and IT governance professionals; government There was a need to determine whether the guidance is an
regulators; and the business community involved in the most international or a national standard, a collection of best
important standards of IT control and IT security. practices, etc. (figure 1).
The research provides all stakeholders with an overview of
the current state of security and integrity risk issues associated
with a global overview of most of the important standards of Figure 1—Description of Guidance
IT control and IT security. It also offers a detailed mapping of
ISO17799 and COBIT, as perceived by IT, business, Guidance Taxonomy
government and assurance executives in key countries around Control Objectives for Collection of publications,
Information and related classified as best practice for
the world. The overview, phase I, offers solutions to overcome Technology (COBIT) IT control and IT governance
the perception of security as a barrier, and a global overview of IT Infrastructure Library Collection of books, referred
most of the important standards of IT control and IT security. (ITIL) to as best practice for IT service
Phase II, or the detailed mapping of COBIT and ISO17799, is management
developed from a business process, accounting, security and ISO/IEC 17799:2000 International standard
control and/or audit perspective. ISO/IEC TR 13335— Technical report
Guidelines for the
Overview Phase Management of IT Security
The project was initiated to map the most important and ISO/IEC 15408—Security International standard
Techniques—Evaluation
commonly used standards and guidance to the COBIT processes Criteria for IT Security
and control objectives. The term “standard” is used to TickIT Scheme for assessment and
encompass guidance publications. While the list of certification
international standards compared in this research is not NIST 800-14—Generally Special publication
exhaustive, several standards were identified as the main Accepted Principles and Practices
guidance for IT governance. The research gives an overview of for Securing Information
the most popular guidance for managing IT, or at least parts of Technology Systems
the tasks and duties of IT. COSO Internal Control— Report
Integrated Framework

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 4, 2004

Issuer Target Audience
This refers to the issuing body of the paper (figure 2). Is there a special target audience and, if so, who is it? For
Which organization is standing behind the definition and example, are public organizations, assurance professionals,
keeping the document up-to-date? security management or general IT professionals the target
audience? (See figure 4.)
Figure 2—Issuers
Figure 4—Target Audiences
Guidance Issuer
COBIT IT Governance Institute, USA Guidance Audience
ITIL British Office of Government COBIT Management, users and auditors
Commerce (OCG), UK
ITIL People responsible for IT service management
ISO/IEC 17799:2000 International Organization for
Standardization and International ISO/IEC 17799:2000 People responsible for information security
Electrotechnical Commission Joint ISO/IEC TR 13335 Senior management, individuals responsible
Technical Committee for security measures
(ISO/IEC JTC 1), Switzerland ISO/IEC 15408 Consumers, developers and evaluators
ISO/IEC TR 13335 International Organization for TickIT Customers, suppliers and auditors
Standardization and International NIST 800-14 Parties responsible for IT security in
Electrotechnical Commission Joint government organizations
Technical Committee COSO CxOs, users and internal auditors
(ISO/IEC JTC 1), Switzerland
ISO/IEC 15408 International Organization for
Standardization and International
Electrotechnical Commission Joint
Timeliness
Technical Committee Is the standard up to date? How frequently is the paper
(ISO/IEC JTC 1), Switzerland revised and issued? (See figure 5.)
TickIT TickIT Office, British Standards
Institute (BSI), UK
Figure 5—Latest Revisions
NIST 800-14 Computer Security Resource Center
(CSRC), National Institute of
Guidance Revisions
Standards and Technology (NIST),
US Department of Commerce, USA COBIT Revised in 2000
COSO Committee of Sponsoring ITIL Revised in 2003
Organizations of the Treadway ISO/IEC 17799:2000 Published in 2000, no updates
Commission (COSO), USA ISO/IEC TR 13335 Published from 1996 to 2001
ISO/IEC 15408 Published 1999, no updates
TickIT Revised in 2001
Goal(s) of the Standard or Guidance NIST 800-14 Published in 1996, no updates
Publication COSO Published in 1992, no updates
What are the primary goals of the document? For example,
the guidance may focus on information security management,
baseline protection, guidance for software development or Certification Opportunities
management of tactical issues (figure 3). Is there a certification path? What can be certified? Who may
act as certification body? (See figure 6.)

Figure 3—Goals Figure 6—Available Certification

Guidance Goals
Guidance Certification
COBIT IT control objectives for day-to-day use
COBIT None
ITIL Vendor-independent approach for service
ITIL Certification only of personnel, not
management
organizations, processes or products
ISO/IEC 17799:2000 Guidance for implementing information
ISO/IEC 17799:2000 None, only compliance with BS 7799-2
security
ISO/IEC TR 13335 None
ISO/IEC TR 13335 Guidance on aspects of IT security
management ISO/IEC 15408 Yes
ISO/IEC 15408 Definition of criteria for evaluation of IT TickIT Yes
security NIST 800-14 None
TickIT QMS for software development and COSO None
certification criteria
NIST 800-14 Baseline for establishing and reviewing IT
security programs
COSO Improvement of the way of controlling
enterprises

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 4, 2004

 Circulation
Is the standard used internationally, or is it limited to a Figure 9—Obtaining Guidance
certain region? Is information on the usage available?
(See figure 7.) Guidance Availability
COBIT Free electronic download and
online acquisition of printed and
Figure 7—Geographic Focus electronic version
ITIL Online acquisition of printed or
Guidance Circulation electronic version
COBIT Worldwide with localized ISO/IEC 17799:2000 Online acquisition of printed or
versions electronic version
ITIL Worldwide ISO/IEC TR 13335 Online acquisition of printed or
ISO/IEC 17799:2000 Worldwide with localized electronic version
versions ISO/IEC 15408 Online acquisition of printed or
ISO/IEC TR 13335 Worldwide electronic version
ISO/IEC 15408 Worldwide TickIT Online acquisition of printed or
TickIT Europe electronic version
NIST 800-14 US NIST 800-14 Free electronic download
COSO Worldwide COSO Online acquisition of printed or
electronic version

Completeness
The completeness of the standard is classified using two Figure 10—COBIT Mapping Methodology
dimensions (figure 8):
• Vertical—How detailed are the guidelines in terms of Step Description
technical or operational profundity? 1 Split the original document into segments of information that
• Horizontal—How complete is the guidance? How much of can be mapped to one or more COBIT control objectives. Those
COBIT is addressed with the guidance? What is more pieces of information will be called “information blocks.”
comprehensively addressed in the particular standard than in 2 Map the information blocks to COBIT control objectives by
COBIT? What is missing, compared to COBIT? using the following algorithm:
2a Do a 1:1 mapping—The information block fits to a single
Figure 8—Level of Detail control objective.
2b Do a 1:n mapping—The information block fits to more
than one control objective.
ITIL 2c If the information block covers a complete COBIT process,
15408 13335 map it to the COBIT process (control objective PPnn.0, e.g.,
COBIT
17799
DS5.0).
TickIT NIST 2d If 2a, 2b and 2c fail, COBIT does not cover the requirement
of this specific information block. Select the most
appropriate process and map the information chunk to
the control objective of the process.
COSO
3 Describe the requirements described by the information
narrow broad
blocks (from the original documents), and sort the result as
horizontal
defined by the COBIT Framework.

Availability 7.1 Secure areas—Objective: To prevent unauthorized

How and where can the information be obtained? (See figure 9.) access, damage and interference to business premises
and information.
Detailed Mapping Phase Critical or sensitive business information processing
In the overview phase, the standards discussed are mapped facilities should be housed in secure areas, protected by
at a high level. The control objectives are identified and a defined security perimeter, with appropriate security
mapped to the high-level control objectives of COBIT. In the barriers and entry controls. They should be physically
detailed mapping, the content of the source document is protected from unauthorized access, damage and
mapped to the detailed control objectives of COBIT and interference.1
follows a strict methodology, described in figure 10. This information block matches with Control Objective
Step 3 is necessary, as the source documents contain DS12.1 Physical Security of COBIT, so the mapping is 1:1.
copyright-protected material; therefore, publishing the content But there are quite a few blocks that do not fit directly to one
of the standards is not allowed. specific control objective. Therefore, the mapping must be done
To illustrate the difference between 1:1 and 1:n mapping, 1:n. Consider the following information block of ISO17799:
the following two information blocks are provided as an 6.2.1 Information security education and training
example. There is an information block identified in clause 7.1 All employees of the organization and, where relevant,
of the International Standard: third party users, should receive appropriate training

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 4, 2004

 and regular updates in organizational policies and Conclusion
procedures. This includes security requirements, legal The worldwide guidance reviewed in the mapping project
responsibilities and business controls, as well as training does focus on specific issues of IT governance, but of the
in the correct use of information processing facilities, guidance currently available, only COBIT addresses the full
e.g., log on procedure, use of software packages, before spectrum of IT governance duties.
access to information or services is granted.2 However, several standards describe the duties in a more
This matches on three control objectives: PO6.11 comprehensive manner than does COBIT. Thus, when
Communication of IT Security Awareness; PO7.4 Personnel implementing sound IT governance, those standards have to be
Training; and DS7.3 Security Principles and Awareness considered and the guidelines, models and processes should be
Training. used to facilitate the implementation of COBIT. This requires
The mapping of ISO/IEC 17799:2000 is in its final stages, ongoing monitoring of guidance available for IT governance.
and the result is scheduled to be published on the ISACA web ISACA facilitates this research by publishing the results of the
site, www.isaca.org, in the third quarter of this year. There mappings and overviews of standards on its web site and plans
were 858 information blocks identified that were mapped to to include the results in COBIT OnlineTM.
184 different control objectives. This figure shows that only
parts of COBIT are covered by the international standards, Endnotes
while a small amount of information from other standards 1
[ISO17799]: ISO/IEC: Information technology—Code of
could not be mapped to one or more control objective. Practice for Information Security Management, Geneva, 2000
Figure 11 depicts the focus of ISO17799 on security, 2
Ibid.
security policies and security management.
Jimmy Heschl
is manager at KPMG in Austria and member of the board of
the ISACA Austria Chapter. He is a primary researcher for the
COBIT mapping project.

Figure 11—Mapping ISO17799

160

140

120

100

80

60

40

20

0
PO1
PO2
PO3
PO4
PO5
PO6
PO7
PO8
PO9
PO10
AI1
AI2
AI3
AI4
AI5
AI6
DS1
DS2
DS3
DS4
DS5
DS6
DS7
DS8
DS9
DS10
DS11
DS12
DS13
M1
M2
M3
M4

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary
organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit
and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal
does not attest to the originality of authors' content.

© Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,
and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the
association or the copyright owner is expressly prohibited.

www.isaca.org

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 4, 2004