ISO 27001 Vs. Cobit

bizfluent article image

Digital Vision./Digital Vision/Getty Images

Businesses look to the idea of best practices, defined as procedures proven to produce optimal results, to optimize efficiency and profit. Governance frameworks such as ISO 27001 and COBIT serve as highly detailed standards of discipline meant to manage risk, lower loses and reduce negative publicity. Although both ISO 27001 and COBIT cater to governance in the area of information technology -- helping ease IT expenditures and reduce tech-related security risks -- these prominent methodologies differ in focus and details.


The International Organization for Standardization publishes ISO 27001, which acts as a framework for standardized information security management and focuses strictly on security-oriented best practices. The Information Technology Governance Institute publishes COBIT -- Control Objectives for Information and related Technology -- which caters to overall IT controls, measures and processes. COBIT's wider focus aims to bridge the gap between business goals and IT processes.


The ISO 27001 code of practice, essentially an auditing guide that lays out controls that an organization must address, encompasses eight major sections across 34 pages. The much broader COBIT methodology features 34 high-level control objectives and 318 detailed control objectives grouped into the areas of Plan and Organize, Acquire and Implement, Deliver and Support and Monitor. These guidelines offer management direction for controlling the businesses IT processes, overall achievement and organizational goals. In contrast to COBIT, ISO 27001 doesn't feature maturity models, which attempt to provide an overview of how an organization's practices can provide sustainable outcomes.

Focus and Function

ISO 27001's focus on addressing and auditing makes the methodology a control and management framework rather than a process framework. Though it shares this structure with COBIT, ISO 27001 has a more specific target -- security -- and thus caters to lower-level management. The COBIT methodology targets the top-level needs of an enterprise, seeking to improve overall business orientation via IT controls and metrics. As such, COBIT caters to higher-ups such as senior managers, IT managers and auditors.


ISO 27001 and COBIT need not compete with each other. In fact, the two frameworks complement one another: While ISO 27001 targets security, COBIT acts as a sort of “umbrella” framework that helps connect ISO 27001 and other IT governance frameworks such as PMBOK and SEI CMM. Both systems offer “what” rather than “how” data, meaning that they identify and measure output and suggest direction, but don't offer methods for pursuing said direction. Frameworks such as ITIL, also a complement to COBIT and ISO 27001, answer the question of “how.” In the world of IT governance, you'll often run into the term ISO 17799. This methodology, also known as BS7799, is the precursor to ISO 27001, which retains much of its foundation.