ISO 38500 versus COBIT: What is the right choice?

As IT governance gains prominence in the organizational setup, the stage is set for a war between ISO 38500 and COBIT.

At the moment, ISO 38500 is slowly making its mark in the industry. People are becoming more aware of this new standard prepared by Standards Australia (as AS8015:2005) and published in 2008. Though there is no official certification for ISO 38500 yet, the standard is facing strong competition from the existing COBIT framework (developed by ISACA), which is an established framework in the enterprise IT space. What is the way ahead? Will companies abandon COBIT for ISO 38500? We get some answers for you.

The scenario

Currently, there is a plethora of IT management frameworks and standards, each catering to a narrow silo. A general lack of clarity still exists, when it comes to what constitutes an overarching IT governance framework (or standard) focused specifically on the Board of Management's role. Now, the question which arises is about whether ISO 38500 is any better in the way it tries to overcome the silo-based approach?

As far as standards and frameworks go, ISO 38500 and COBIT are both based on the same principle of corporate IT governance. As Vishal Vyas, an ITIL expert and delivery head for South Asia at ITpreneurs says, "ISO 38500 has certain predefined requirements to be met (like every other standard) and prerequisites to be fulfilled. Evidence has to be shown if an organization wants a formal ISO 38500 certificate. Subject to fulfillment of these criteria, the organization will be recognized as an ISO 38500 certified organization. On the other hand, COBIT being a framework (i.e., just a guidance) to achieve IT governance, no formal COBIT compliance certificate can be gained. Instead, an individual consultant (or organization) can assess your governance framework on the basis of COBIT guidelines."

With a general lack of awareness on ISO 38500 guidelines, IT professionals are still not fully convinced about this standard. "COBIT's philosophy took a while to mature within the industry. When COBIT started to get popular, the new fancy standard called ISO 38500 was introduced. As both these are based on the same principle, there is a lot of confusion floating around," says Rahul Vilas Ghodke, the ITIL service manager and head of automation and transition at Microland.

ISO 38500 v/s COBIT

ISO 38500 v/s COBIT - is this debate justified? Before identifying the right standard or framework, it is critical to understand the significance of both for your organization. According to Chandrakesh Rai, the head of ITIM services at Quinnox, "IT governance is finally gaining importance within organizations. IT consumes 2.5% to 5% of the annual budget. Hence, the senior management is seeking to have standard governance policies, as they are completely clueless about the investment made in IT. Frameworks like COBIT and ISO 38500 help the senior leaders (including the board of directors) in lending a different perspective to IT investments."

If a comparison has to be made, the first point is that ISO 38500 enjoys very less traction in India. There are no implementation guidelines that one can refer to. "If ISO focuses more on the standard, then it will turn out to be quite helpful for organizations, as ISO enjoys more popularity within the corporate world. On the other hand, ISACA is giving more guidance on the implementation of COBIT. This is one of the critical reasons why COBIT has gained wider acceptance," says Rai.
For Vyas, COBIT is definitely more comprehensive, because it gives guidance not only about IT governance but also links processes with other commonly used frameworks like ITIL, PMBOK and InfoSec. ISO 38500 follows a consistent approach and terminologies as in other standards, but the contents specifically focus at fulfilling an organization's legal and regulatory requirements with regards to IT governance. It specifies six principles for good corporate governance for IT — responsibility, strategy, acquisition, performance, conformance and human behavior.

Selecting the right framework

ISO enjoys more popularity within the corporate world. On the other hand, ISACA is giving more guidance on the implementation of COBIT.
Chandrakesh Rai
the head of ITIM servicesQuinnox

 The question that still remains is — Is ISO 38500 ready to take off? "In its current form, it's a bit incomplete to act as a stand-alone standard for IT governance. However, the definite benefit will be delivered to organizations which want a formal and validated status in the industry related to their IT governance. At this stage, there is no other way to get your IT governance mechanism formally certified as an organization," informs Vyas.

Before going in for one of these standards or frameworks, certain factors need to be considered. What is the competency skill set available in the market to understand the standard? If there are no good consultants, what are the resources available to implement the standard? What are the assessing bodies to monitor the implementation of the standard?

"The CIO's concern is how can I fulfill all the criterions prescribed by the business or how can I guard all information assets of the business as prescribed by banking regulators? To achieve this, the CIO needs to have a strong IT governance mechanism. This can be achieved by COBIT. On the contrary, if the CIO wants to formally establish, validate or certify the organization's IT governance capabilities, I think the way forward is ISO 38500," says Vyas.
As per industry sources, ISO is planning to come up with version two of ISO 38500,which will focus more on the implementation guidelines. However, COBIT's next version will be a conglomerate of all IT governance standards from ISACA. People are just beginning to understand ISO 38500, while COBIT is slowly reaching the corporate level. Experts say that the two (ISO 38500 and COBIT) can complement each other, if implemented in the right manner.

Read more on IT governance