Mapping COBIT and ITIL to your IT disaster recovery process

COBIT and ITIL are two frameworks that provide measurable controls to assist you in reviewing your DR process.

This Content Component encountered an error

A key aspect of business continuity (BC) and disaster recovery (DR) management is measuring performance. Expanding our thinking on the use of metrics, this article examines how IT disaster recovery might be mapped to two widely used frameworks: Information Technology Information Library (ITIL) Version 3 and Control Objectives for Information and related Technology (COBIT) Release 4.1. These two frameworks provide measurable controls...

that can be applied to the IT disaster recovery process. Why is this important? Assuming you want to build IT disaster recovery plans that are consistent with accepted industry standards and controls, these two frameworks provide solid starting points.

COBIT 4.1

COBIT 4.1 is a globally accepted framework for IT governance based on industry standards and best practices. Once implemented, executives can ensure IT is aligned effectively with business goals and better directs the use of IT for business advantage. Developed by the IT Governance Institute, COBIT provides a common language for business executives to communicate goals, objectives and results with audit, IT and other professionals. COBIT provides best practices and tools for monitoring and managing IT activities. It also helps executives understand and manage IT investments throughout their lifecycle and provides a method to assess whether IT services and new initiatives are meeting business requirements and are likely to deliver the benefits expected.

TIL V3

ITIL V3 is a framework for IT service management that addresses planning, sourcing, designing, implementing, operating, supporting and improving IT services that are appropriate to business needs. ITIL provides a comprehensive, consistent and coherent best practice framework for IT service management and related processes. ITIL also promotes a high-quality approach for achieving business effectiveness and efficiency in IT service management. Developed in the U.K. by the Office of Government Commerce (OGC), the ITIL framework describes approaches, functions, roles and processes upon which organizations may develop and measure their own IT practices.

Mapping IT disaster recovery to COBIT and ITIL

The IT disaster recovery process is fairly well defined. To determine where the relevant components of COBIT and ITIL overlap with IT DR, we have constructed a "crosswalk" as shown in "Detailed Mapping of IT Disaster Recovery to COBIT and ITIL." With this crosswalk map, you can refer to the detailed content within the two frameworks as they align with specific IT DR activities. If you already utilize one or both of these frameworks, we are not suggesting you develop your overall IT DR program and plans differently than you otherwise would. Like most current standards, practices and frameworks, COBIT and ITIL are prescriptive. They describe "what" needs to be done, but not "how" to do it. You can use the frameworks as a checklist to ensure that you have not missed any key activities.

Table 1: Detailed mapping of IT disaster recovery to COBIT and ITIL

IT Disaster
Recovery activity
COBIT ITIL
Control objective Name Control objective Name
Enterprise-wide and consistent approach to IT continuity management DS4.1 IT continuity framework

SD 4.5


SD 4.5.5.1

CSI 5.6.3
 

IT service continuity
management

Stage 1: Initiation

IT service continuity
management
 

Individual continuity plans based on framework

Business impact analysis

Resilience, alternative processing and recovery
 

DS4.2 IT continuity plans

SD 4.5.5.2


SD 4.5.5.3

Stage 2: Requirements and strategy

Stage 3: Implementation

Focus on critical infrastructure, resilience and prioritization

Response for different time periods
 

DS4.3 Critical IT resources

SD 4.4.5.2



 

SD 4.5.5.4

The proactive activities of availability management.

Stage 4: Ongoing
operation

Changing control to reflect changing business requirements
 
DS4.4 Maintenance of the IT continuity plan SD 4.5.5.4 Stage 4: Ongoing
operation

Regular testing

Implementing action plan

DS4.5 Testing of the IT continuity plan

SD 4.5.5.3

SD 4.5.5.4

Stage 3: Implementation

Stage 4: Ongoing
operation
 

Regular training for all concerned parties DS4.6 IT continuity plan training

SD 4.5.5.3

SD 4.5.5.4

Stage 3: Implementation

Stage 4: Ongoing
operation
 

Proper and secure distribution to all authorized parties DS4.7 Distribution of the IT continuity plan

SD 4.5.5.3

SD 4.5.5.4

Stage3: Implementation

Stage 4: Ongoing
operation
 

Planning for period when IT is recovering and resuming services

Business understanding and investment support
 

DS4.8 IT services recovery and
resumption

SD 4.4.5.2



 

SD 4.5.5.4

The proactive activities of availability management

Stage 4: Ongoing
operation

Offsite storage of all critical media, documentation and resources needed in collaboration with business process owners DS4.9 Offsite backup storage

SD 4.5.5.2


SO 5.2.3

Stage 2: Requirement and strategy

Backup and restore

Regular management assessment of plans DS4.10 Post-resumption review

SD 4.5.5.3

SD 4.5.5.4

Stage3: Implementation

Stage 4: Ongoing
operation

As you can see, the table shows how certain IT disaster recovery activities map to COBIT and ITIL. While your overall IT DR program will probably address more issues than these, they provide a solid foundation.

Example: Testing IT disaster recovery plans

Testing and exercising DR plans are among the most important -- and often neglected -- activities in the disaster recovery process. For example, COBIT DS4.5 explained the importance of testing and exercising your DR process. If we examine COBIT DS4.5, it says:

"Test the IT continuity plan on a regular basis to ensure that IT systems can be effectively recovered, shortcomings are addressed and the plan remains relevant. This requires careful preparation, documentation, reporting of test results and, according to the results, implementation of an action plan. Consider the extent of testing recovery of single applications to integrated testing scenarios to end-to-end testing and integrated vendor testing," COBIT DS4.5.

By contrast, if we explore ITIL provisions, we see that ITIL endorses a framework called IT Service Continuity Management (ITSCM). ITSCM addresses risks that could cause a sudden and serious impact to the IT infrastructure, such that a disruption could threaten the continued operation of the business. According to ITIL, ITSCM must be aligned to the business continuity lifecycle. ITSCM focuses on protecting the technology infrastructure, while business continuity focuses on risks that could disrupt business operations. SD 4.5.5.3 and SD 4.5.5.4 address the activities, methods and techniques that enable ITSCM. They also describe planning, protection and optimization actions for the Stage 3 Implementation(SD 4.5.5.3) and the Stage 4 Ongoing operation (SD 4.5.5.4) of the ITSCM lifecycle.

In this case, the ITIL and COBIT guidance can be used as part of the IT disaster recovery testing process. COBIT 4.1 provides more specific details on the objectives of a test. And ITIL delineates the basic management processes without going into specific detail. In both cases, however, the guidance describes what should be done, not how to do it.

An important thing to do is to determine if your organization already supports these frameworks or is planning to do so. If your organization supports them, you can ensure that your programs are compliant with the frameworks. If your organization does not support COBIT and/or ITIL, you can still use the frameworks to structure your program development efforts according to industry accepted practices.

Organizations wishing to adopt best practices for IT operations, including disaster recovery, can benefit from the use of management frameworks. The frameworks provide consistent and measurable approaches. They are also likely to ensure successful outcomes, especially in the aftermath of an unplanned IT service disruption. The examples offered in this article can help you get started. The level of detail depends on your company, how it conducts business and how it measures performance.

About this author: Paul Kirvan, CISA, CISSP, FBCI, CBCP, has more than 20 years experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter.

This was first published in November 2009

Dig deeper on Disaster Recovery Planning-Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSolidStateStorage

SearchVirtualStorage

SearchCloudStorage

SearchDataBackup

SearchStorage

Close