Neha Yadav
May 6, 2019
Update 2022-04-26.
We often come across discussions related to comparisons of different governance standards and frameworks, such as ISO 27001 and COBIT. ISO 27001 focuses on information security controls, while on the other hand, COBIT, which is a governance framework, also includes some ISO 27001-related topics such as security, risks, managing changes, etc. in its domains. This article explains the definition and similarities and differences between ISO 27001 and COBIT.
COBIT (Control Objectives for Information and Related Technologies) is an IT management and governance framework managed by ISACA (Information Systems Audit and Control Association).
ISO 27001 is the ISO standard that describes how to manage information security in an organization.
COBIT (Control Objectives for Information and Related Technologies) is an IT management and governance framework managed by ISACA (Information Systems Audit and Control Association). It provides implementable controls over information technology, organized into IT-related processes, which support the fulfillment of these business requirements:
The current version of the COBIT processes framework was published in 2019. Similar to the previous version, COBIT 2019 is divided into five domains:
For each process, COBIT defines inputs, outputs, key activities, objectives, and performance measures. Although COBIT has more detail in terms of processes, it still lacks technical details to support implementation.
ISO 27001 is the ISO standard that describes how to manage information security in an organization. It consists of 11 clauses in the main part of the standard, and 114 security controls grouped into 14 sections in Annex A. ISO 27001:2013 clauses from the main part of the standard are:
ISO 27001:2013 Annex A covers controls related to organizational structure (physical and logical), human resources, information technology, supplier management, etc.
For detailed information, read: A first look at the new ISO 27001 and An overview of ISO 27001:2013 Annex A.
One of the limitations of ISO 27001 is that it does not provide detail on what to do to fulfill requirements or implement controls, only about what you need to achieve. For detailing, you can use ISO 27002 as guidance. For more information, read: ISO 27001 vs. ISO 27002.
An individual can get certified for ISO 27001 by attending the course and passing an exam, for example, as a Lead Implementer or Lead Auditor.
However, ISO 27001 is primarily intended for the certification of companies – to learn more, read the article ISO 27001 certification for persons vs. organizations.
On the other hand, COBIT certification is possible only for individuals, while an organization cannot be certified against COBIT.
The key difference between ISO 27001 and COBIT is that the first one is solely for the purpose of information security, and the second one is for management and governance of information technology business processes.
We can consider COBIT to be an umbrella or superset that focuses on management of information technology (IT) and governance. COBIT not only talks about security in an organization, but also includes the way an organization actually organizes, arranges, and oversees the organization of IT operations. It includes all information technology controls, measures, and processes. It helps an organization to map its own business goals to its IT goals. Also, it supplies measurements and provides maturity models to measure an organization’s achievement. Additionally, it helps to identify the organization’s key business responsibilities and the IT process owners.
ISO 27001, on the other hand, is an international standard for Information Security Management Systems. It focuses on performing a risk assessment and then applying specific security controls for protecting the organization’s critical information assets.
The main benefit of implementing ISO 27001 is a systemic Information Security Management System that helps with the identification of critical information, the information security risk assessment of the system, and the implementation of security controls, all of which help to create a secure culture in the organization.
ISO 27001 is beneficial for the organization in terms of its security while, on the other hand, COBIT helps an organization to have a systematic approach and in meeting the organization’s performance goals. Some other benefits of COBIT include addressing all organizational needs, like the needs of stakeholders, and the utilization of innovation and technology.
For more about the benefits of ISO 27001, read the article Four key benefits of ISO 27001 implementation.
ISO 27001 consists of 11 main clauses (out of which 7 are mandatory), and 114 controls in the Annex A (which are selected based on the results of risk management). COBIT 2019 is based around a core model of 40 management objectives in five categories. This is how ISO 27001 and COBIT are related:
As explained in this article, ISO 27001 is an international standard focusing only on security, while COBIT has a wider scope, focusing on information technology governance, though security is also part of the framework.
Hence, if your target is to protect the information assets of your organization by implementation of appropriate and relevant security controls, then go for implementation of ISO 27001. However, if you are looking for an information technology governance and management model for the business process owners and managers to improve business process management, while enhancing the value delivered from your IT business and managing IT risks, then go for the COBIT framework.
To learn how to comply with ISO 27001, while also implementing privacy and cybersecurity controls, sign up for a 14-day free trial of Conformio, the leading ISO 27001 compliance software.