The European Union recently announced it has selected COBIT (Control Objectives for Information and related Technology), a set of guidelines on IT security and governance, as one of three international standards for its agricultural paying agencies. The other two are the ISO Standard 17799 and Bundesamt für Sicherheit in der Informationstechnik: IT-Grundschutzhandbuch (IT Baseline Protection Manual).
COBIT, which is issued by the IT Governance Institute (ITGI), offers management, users and IS audit, control and security practitioners a reference framework for measuring performance, ascertaining success factors and using maturity models for benchmarking. The EU Directorate General of Agriculture has used the system since 2001, when the office began training the teams that audit operations that impact approximately half of the EU’s total budget, which was about 98 billion Euros last year.
“At that time, we proposed that they use COBIT,” said Georges Ataya, a member of the ITGI steering committee and professor at the Solvay School of Business in Brussles, Belgium, who also helped the Directorate train auditors from the outset. “It took us quite a few months to convince them that COBIT should be used for the training. Then we started to lobby to have them use it as a base for their controls as well. We presented the different aspects to them, showing how each one of the IT processes in COBIT could help them in one or another situation. Today, COBIT is going to allow them to have one common auditing standard that can cover all aspects of IT.”
The use of different standards is beneficial for the EU, a body composed of many distinct nations and cultures, Ataya said. “The advantage here is that you have different countries with different visions of the same issues: You have the Germans, French, British and any one of the others. There are other standards that have been adopted, and this proves there are different ways of looking at the same problem and ensures when the problem is hot, there will always be some organizations looking at it and giving it some light.
“The market today is mixed up between all the different standards that exist,” he added. “On one hand, you have the ISO Standard 17799 and ITIL (IT information library), and on the other you have COBIT, CMM (Capability Maturity Model), etc. Each of those has been taken as being the standard that IT professionals are going to use to solve of their problems. When those same people find another standard, they say, ‘That’s not the one for me. I’ve found the one I need, and I’m not going to change again.’ What we try to explain to those people that typically all those standards are the almost the same. They are talking about almost the same issues, and none contradict any others. They are mainly different views of the same common business practices and implementation ideas. If you are requiring a standard for development activities, then you would use CMM. If it’s more about delivery and support operations, then you would use ITIL. The advantage with COBIT is that it covers all of them.”
For more information, see www.isaca.org/cobit.htm.