Many organizations just getting started with information security policies ask us the question: Should we use ISO 17799 (now ISO 27002) or COBIT? The answer, of course, is that it depends on what you are trying to accomplish. In fact, they are not mutually exclusive, but can be used together.
The basic difference between COBIT and ISO17799:2005 is that ISO 17799 is only focused on information security, whereas COBIT is focused on more general information technology controls. Thus, COBIT has a broader coverage of general information technology topics, but does not have as many detailed information security requirements as ISO 17799:2005. If an organization addresses all of the security controls within ISO 17799:2005, then they will be covering a large part of COBIT in the process – especially the section DS5 Ensure Systems Security. However, COBIT covers a much larger set of issues related to information technology “governance,” and is typically used as part of an overall corporate governance framework.
Organizations that must comply with overall corporate governance requirements such as Sarbanes-Oxley (in the US) or Basel II (international banking) tend to use COBIT, whereas organizations focused primarily on information security may use ISO 17799. As of late 2005, organizations can now get certified against the ISO 17799:2005 standard. This certification, called ISO 27001, is based on the existing BS 7799 standard, and has now been adopted by ISO. So if your organization desires a security certification, ISO 17799:2005 would be an appropriate choice.
COBIT (Control Objectives for Information Technology) is published by ISACA and the IT Governance Institute. ISO 17799:2005 is available from BSI or ANSI. For more information, see our policy compliance solutions page.