Mapping COBIT and ITIL to your IT disaster recovery process
COBIT and ITIL are two frameworks that provide measurable controls to assist you in reviewing your DR process.
A key aspect of business continuity (BC) and disaster recovery (DR) management is measuring performance. Expanding...
Continue Reading This Article
Enjoy this article as well as all of our content, including E-Guides, news, tips and more.
our thinking on the use of metrics, this article examines how IT disaster recovery might be mapped to two widely used frameworks: Information Technology Information Library (ITIL) Version 3 and Control Objectives for Information and related Technology (COBIT) Release 4.1. These two frameworks provide measurable controls that can be applied to the IT disaster recovery process. Why is this important? Assuming you want to build IT disaster recovery plans that are consistent with accepted industry standards and controls, these two frameworks provide solid starting points.
COBIT 4.1
COBIT 4.1 is a globally accepted framework for IT governance based on industry standards and best practices. Once implemented, executives can ensure IT is aligned effectively with business goals and better directs the use of IT for business advantage. Developed by the IT Governance Institute, COBIT provides a common language for business executives to communicate goals, objectives and results with audit, IT and other professionals. COBIT provides best practices and tools for monitoring and managing IT activities. It also helps executives understand and manage IT investments throughout their lifecycle and provides a method to assess whether IT services and new initiatives are meeting business requirements and are likely to deliver the benefits expected.
TIL V3
ITIL V3 is a framework for IT service management that addresses planning, sourcing, designing, implementing, operating, supporting and improving IT services that are appropriate to business needs. ITIL provides a comprehensive, consistent and coherent best practice framework for IT service management and related processes. ITIL also promotes a high-quality approach for achieving business effectiveness and efficiency in IT service management. Developed in the U.K. by the Office of Government Commerce (OGC), the ITIL framework describes approaches, functions, roles and processes upon which organizations may develop and measure their own IT practices.
Mapping IT disaster recovery to COBIT and ITIL
The IT disaster recovery process is fairly well defined. To determine where the relevant components of COBIT and ITIL overlap with IT DR, we have constructed a "crosswalk" as shown in "Detailed Mapping of IT Disaster Recovery to COBIT and ITIL." With this crosswalk map, you can refer to the detailed content within the two frameworks as they align with specific IT DR activities. If you already utilize one or both of these frameworks, we are not suggesting you develop your overall IT DR program and plans differently than you otherwise would. Like most current standards, practices and frameworks, COBIT and ITIL are prescriptive. They describe "what" needs to be done, but not "how" to do it. You can use the frameworks as a checklist to ensure that you have not missed any key activities.
Table 1: Detailed mapping of IT disaster recovery to COBIT and ITIL
IT Disaster Recovery activity |
COBIT | ITIL | ||
Control objective | Name | Control objective | Name | |
Enterprise-wide and consistent approach to IT continuity management | DS4.1 | IT continuity framework | SD 4.5 SD 4.5.5.1 CSI 5.6.3 |
IT service continuity Stage 1: Initiation IT service continuity |
Individual continuity plans based on framework Business impact analysis Resilience, alternative processing and recovery |
DS4.2 | IT continuity plans | SD 4.5.5.2 SD 4.5.5.3 |
Stage 2: Requirements and strategy Stage 3: Implementation |
Focus on critical infrastructure, resilience and prioritization Response for different time periods |
DS4.3 | Critical IT resources | SD 4.4.5.2
SD 4.5.5.4 |
The proactive activities of availability management. Stage 4: Ongoing |
Changing control to reflect changing business requirements |
DS4.4 | Maintenance of the IT continuity plan | SD 4.5.5.4 | Stage 4: Ongoing operation |
Regular testing Implementing action plan |
DS4.5 | Testing of the IT continuity plan | SD 4.5.5.3 SD 4.5.5.4 |
Stage 3: Implementation Stage 4: Ongoing |
Regular training for all concerned parties | DS4.6 | IT continuity plan training | SD 4.5.5.3 SD 4.5.5.4 |
Stage 3: Implementation Stage 4: Ongoing |
Proper and secure distribution to all authorized parties | DS4.7 | Distribution of the IT continuity plan | SD 4.5.5.3 SD 4.5.5.4 |
Stage3: Implementation Stage 4: Ongoing |
Planning for period when IT is recovering and resuming services Business understanding and investment support |
DS4.8 | IT services recovery and resumption |
SD 4.4.5.2
SD 4.5.5.4 |
The proactive activities of availability management Stage 4: Ongoing |
Offsite storage of all critical media, documentation and resources needed in collaboration with business process owners | DS4.9 | Offsite backup storage | SD 4.5.5.2 SO 5.2.3 |
Stage 2: Requirement and strategy Backup and restore |
Regular management assessment of plans | DS4.10 | Post-resumption review | SD 4.5.5.3 SD 4.5.5.4 |
Stage3: Implementation Stage 4: Ongoing |
As you can see, the table shows how certain IT disaster recovery activities map to COBIT and ITIL. While your overall IT DR program will probably address more issues than these, they provide a solid foundation.
Example: Testing IT disaster recovery plans
Testing and exercising DR plans are among the most important -- and often neglected -- activities in the disaster recovery process. For example, COBIT DS4.5 explained the importance of testing and exercising your DR process. If we examine COBIT DS4.5, it says:
"Test the IT continuity plan on a regular basis to ensure that IT systems can be effectively recovered, shortcomings are addressed and the plan remains relevant. This requires careful preparation, documentation, reporting of test results and, according to the results, implementation of an action plan. Consider the extent of testing recovery of single applications to integrated testing scenarios to end-to-end testing and integrated vendor testing," COBIT DS4.5.
By contrast, if we explore ITIL provisions, we see that ITIL endorses a framework called IT Service Continuity Management (ITSCM). ITSCM addresses risks that could cause a sudden and serious impact to the IT infrastructure, such that a disruption could threaten the continued operation of the business. According to ITIL, ITSCM must be aligned to the business continuity lifecycle. ITSCM focuses on protecting the technology infrastructure, while business continuity focuses on risks that could disrupt business operations. SD 4.5.5.3 and SD 4.5.5.4 address the activities, methods and techniques that enable ITSCM. They also describe planning, protection and optimization actions for the Stage 3 Implementation(SD 4.5.5.3) and the Stage 4 Ongoing operation (SD 4.5.5.4) of the ITSCM lifecycle.
In this case, the ITIL and COBIT guidance can be used as part of the IT disaster recovery testing process. COBIT 4.1 provides more specific details on the objectives of a test. And ITIL delineates the basic management processes without going into specific detail. In both cases, however, the guidance describes what should be done, not how to do it.
An important thing to do is to determine if your organization already supports these frameworks or is planning to do so. If your organization supports them, you can ensure that your programs are compliant with the frameworks. If your organization does not support COBIT and/or ITIL, you can still use the frameworks to structure your program development efforts according to industry accepted practices.
Organizations wishing to adopt best practices for IT operations, including disaster recovery, can benefit from the use of management frameworks. The frameworks provide consistent and measurable approaches. They are also likely to ensure successful outcomes, especially in the aftermath of an unplanned IT service disruption. The examples offered in this article can help you get started. The level of detail depends on your company, how it conducts business and how it measures performance.
About this author: Paul Kirvan, CISA, CISSP, FBCI, CBCP, has more than 20 years experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter.