IT Governance Frameworks

IT governance includes the processes, policies, and criteria involved in the planning, deployment, operation, and management of IT-related functions; to help facilitate this, IT governance frameworks are utilized to structuralize organizational, leadership, and business practices. While there are numerous IT governance frameworks, the three most-used versions are COBIT, ITIL, and ISO/IEC 27002 (Otero, 2019). Below, I will briefly define each of the frameworks mentioned above and discuss their benefits.

COBIT, or Control Objectives for Information and Related Technologies, was first released in 1996 by the ISACA (Information Systems Audit and Control Association) as a collection of IT control objectives focused on financial audits of IT environments. COBIT helps managers lessen the gap between the business risks, control environments, and technical issues faced by their organization’s IT departments. COBIT 5 can be separated into two areas- governance and management; these two areas then contain five domains and thirty-seven processes, including Governance of Enterprise IT’s EDM (Evaluate, Direct, and Monitor), and Management of Enterprise IT’s APO (Align, Plan and Organize), BAI (Build, Acquire and Implement), DSS (Deliver, Service and Support), and finally, MEA (Monitor, Evaluate, and Assess (Qualified Audit Partners, n.d.).

Initially developed by the U.K.’s OGC (Cabinet Office of Government Commerce), ITIL is a collection of best practices for IT service management. ITIL includes five core guidelines- Strategy, Design, Transition, Operation, and Continuous Improvement (Axelos, n.d.). ITIL’s use is widespread and helps IT departments effectively plan, organize, manage, and create the rules, policies, processes, and regulations that govern its employees in their daily interactions with their software, hardware, and more specifically, the users that interact with them.

Finally, the ISO/IEC 27002 framework, while similar to ITIL, provides best practices more focused on IT security management. Consisting of a family of standards, the ISO/IEC 27002, created in 2013 by the ISO (International Organization for Standardization), provides IT departments and management the processes of implementing commonly-accepted information security controls and helps them create their own guidelines.

While each of the abovementioned IT frameworks has its specific uses and strengths, the one-size-fits-all approach rarely applies to all cases. In my own experience, I find utilizing a combination of various frameworks and creating my own unique approach to IT management is far more efficient, as it allows the customization of the organization’s specific needs. Not every organization provides the same products, services or is structured in the same way; thus, managing how its IT department approaches its duties varies as well.


Otero, A. R. (2019). Information Technology Environment and IT Audit. In IT Governance and Strategy. (Fifth ed., pp. 133-153). Boca Raton, Florida: CRS Press.

Qualified Audit Partners. (n.d.). COBIT domains and processes (COBIT 5 / 4.1). Retrieved January 11, 2021, from

Axelos. (n.d.). ITIL – IT service management. Retrieved January 11, 2021, from

Categories: Security

Tagged as: , , ,

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s