Tugba Yildirim, CISA, CRISC and Bilgin Metin, Ph.D.
IT governance processes and quality management systems (QMS) processes can be considered together by focusing on their similar aspects, thereby increasing the quality of IT processes integrated with QMS. Businesses adapt their IT processes to widely accepted frameworks and standards, such as COBIT1 and ISO 9001:2008, to prove their reliability and competence.
COBIT is regarded as an effective framework to provide IT excellence and quality.2 Stephen Reingold proposes that refining IT processes increases the quality of IT process and product quality. Moreover, their effectiveness and efficiency are improved.3
COBIT 4.1 includes maturity models for each process (based on, but in many respects quite different from, the Capability Maturity Model Integration approach) to support assessment of its current maturity state and supporting process improvement planning toward a future maturity state. This means that COBIT is used for improving systems and software quality.4 In light of the academic studies and case studies about COBIT 4.1, it can be seen that COBIT provides quality IT-related processes resulting in more manageable and controllable environments.
To prove quality, enterprises may choose to (or be required by a key customer to) comply with ISO 9001:2008 for specific areas of their activity. Quality management models based on ISO 9001:2008 lead to much more competitive enterprises.5, 6 ISO 9001:2008 implementation creates much more efficient and effective operation; increases customer satisfaction; reduces the number of audits; enhances marketing; improves employee motivation, awareness and morale; promotes international trade; increases profit; reduces waste; and increases productivity.7
Similar to COBIT, ISO 9001:2008 has also been studied for integration with other standards. These studies aimed to provide quality for business as a whole8 and proposed to use ISO 9001:2008 for software quality management.9 ISO 9001:2008 is used to provide quality in e-commerce environments. A model has been developed for the compliance of these environments with ISO 9001:2008 standard.10
However, there is not enough emphasis on the relationship between COBIT 4.1 and ISO 9001:2008. Both of these are widely used, and they focus on refining processes and aim to improve effectiveness and efficiency. Organizations can benefit from the guidance of COBIT 4.1 for IT procedures while using ISO 9001:2008 to improve their quality. Also, organizations should not use human resources (HR) more than necessary for common tasks in the proposed approach. Some IT governance processes and QMS processes can be taken into consideration and carried out together. This may simplify organizational schema for better management. Furthermore, this approach can increase communication and improve collaboration between IT and quality management departments. Therefore, this article aims to integrate processes of COBIT 4.1 and ISO 9001:2008 so organizations can increase the effectiveness and efficiency of the QMS through COBIT 4.1 control objectives.
A high-level mapping is done to compare the domain areas of COBIT 4.1 with the requirements of ISO 9001:2008 by describing the overlap.
COBIT 4.1 has four domain areas—Plan and Organize (PO), Acquire and Implement (AI), Deliver and Support (DS), and Monitor and Evaluate (ME) (figure 1). In the framework, there are processes and related control objectives. These control objectives are affected by COBIT resources: applications, information, infrastructure and people. COBIT’s information criteria (the business objectives of processing information) are listed as effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability (COBIT 4.1).
COBIT 4.1’s approach is targeted at auditing, control, management and governance. ISO 9001:2008’s approach is in line with COBIT 4.1’s approach with respect to its management system objective subjects.11 ISO 9001:2008 is also focused on improving processes to increase profit and create a more efficient and effective operation. Assessments, improvements and audits based on COBIT 4.1 and ISO 9001:2008 can be taken into consideration across the organization. These assessments can be integrated, and, in this way, IT processes’ quality can be made more effective and efficient—clarifying the relationship among these two references.
In this high-level mapping, COBIT domain areas are mapped with ISO 9001:2008 requirement areas, which are:12
COBIT’s four process domain areas have much in common with ISO 9001:2008 requirements (figure 2). COBIT 4.1 provides guidance on quality management with the help of PO8 Manage quality. In PO8, there are control system recommendations for establishment and management of a quality management system. Continual improvement of ISO 9001:2008 requirements (figure 3) are also included in PO8.5.
There are several examples of the shared attributes of these two references. To illustrate, COBIT’s ME domain is related to ISO 9001:2008’s part 5.6 Management’s Review under Management Responsibility. In COBIT 4.1, the ME domain has control objectives for monitoring all processes to determine whether the provided direction is followed. In ISO 9001:2008’s Management Responsibility part, management is also described as responsible for reviewing the system.
Both the COBIT framework and ISO 9001 stress segregation of duties to ensure clarity among roles and responsibilities. In the PO domain of COBIT, the relevant control objectives are PO4.6 Establishment of roles and responsibilities and PO4.11 Segregation of duties. Similarly, in ISO 9001:2008, part 5.5 Responsibility, Authorization and Communication proposes that segregation of duties should be completed under the responsibility of management.
Service support is an important part of IT governance and, in COBIT 4.1, managing support service organizations’ issues is found in the DS domain. Similarly, in part 7.4 Purchasing of ISO 9001:2008, support service organization management issues are taken into consideration. Customer satisfaction is an integral aim of ISO 9001:2008, and it is described in part 7.2 Customer Related Issues. In COBIT, customer focus is considered in PO8.4, which “focuses quality management on customers by determining their requirements and aligning them to the IT standards and practices” and defines roles and responsibilities concerning conflict resolution between the user/customer and the IT organization.13
COBIT provides good practices across the AI domain, which “provides the solutions and passes them to be turned into services.”14 The AI domain’s control objectives question if new projects deliver solutions to meet business needs and if new systems will work properly when implemented. The related portion of ISO 9001:2008 is part 7 Product Realization, which provides development stages with appropriate testing for developing new products to check whether the developed product meets the business and legal requirements and provides user satisfaction.
Part 8 of ISO 9001:2008, Measurement, Analysis and Improvement, is largely related to the ME domain of COBIT, which includes ME1 Monitor and evaluate IT performance, ME2 Monitor and evaluate internal control, ME3 Ensure compliance with external requirements and ME4 Provide IT governance. With these common requirements, both COBIT and ISO 9001:2008 focus on preventing errors by monitoring and taking remedial, corrective actions against undesirable business events.
Other than the related objectives of ISO 9001:2008 and COBIT 4.1, their affected parties and general aims show a parallelism. To illustrate, COBIT 4.1’s control objectives affect application, information, infrastructure and people to provide effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability, which are also the aims of QMS.
Taking the parallel objectives of the COBIT framework and ISO 9001:2008 Quality management systems can assist with integrating these two references in assessments and reduce the time and effort spent.
Success in business can be achieved by improving business processes. Since IT processes are at the heart of the business life, creating more effective and efficient processes results in achievement of business objectives. By mapping the common objectives of COBIT 4.1 and ISO 9001:2008, both IT governance processes and QMS processes can be taken into consideration and carried out together, allowing one to support IT quality systems management and IT processes effectively and efficiently. Carrying the compliance efforts out in tandem can reduce the allocated time and resources for compliance studies.
1 ISACA, COBIT 4.1, USA, 2007, www.isaca.org/cobit2 Robinson, Nick; “IT Excellence Starts with Governance,” white paper, Ernst & Young, 20053 Reingold, Stephen; “Refining IT Processes Using COBIT,” ISACA Journal, vol. 3, 20054 IT Governance Institute, Mapping of CMMI for Development V1.2 with COBIT 4.0, USA, 20065 Wade, Jim; “Is ISO 9000 Really a Standard?,” ISO Management Systems Journal, May/June 20026 Barnes, Frank; “Good Business Sense Is the Key to Confronting ISO 9000,” Review of Business Journal, vol. 21, no. 1, 20007 Rohitratana, K.;”Reasons Why Companies Should Have ISO Certification,” Providence Business News, 28 August 20008 Land, Susan K.; John W. Walz; Practical Support for ISO 9001 Software Project Documentation, IEEE Computer Society and Wiley-Interscience, p. 432, 20069 Jovanovic, V.; D. Shoemaker; “ISO 9001 Standard and Software Quality Improvement,” University of Detroit Mercy, USA, 199710 Tam, B.; Chinho L.; Hsiang-Chin H.; “An ISO 9001:2000 Quality Information System in E-Commerce Environment,” Industrial Management & Data Systems, vol. 103, iss. 9, 2003, p. 666–67611 Pekel, A.; “Bilgi Ve Ílgili Teknolojiler Için Kontrol Hedefleri,” Turkish Information Institute, 200812 Whittington, L.; ”ISO 9001:2008 Requirements in Plain English,” www.the9000store.com13 Op cit, ISACA 14 Ibid.
COBIT 4.1 is still widely used, but COBIT 5 was released in 2012. For more information on the latest release, visit www.isaca.org/cobit5.
Tugba Yildirim, CISA, CRISC, works in the information systems (IS) control and audit function at Bank Asya, where she specializes in IS control design, testing and monitoring. Her background includes IS, instructional technology and management of IS education.
Bilgin Metin, Ph.D., has more than 15 years of experience in the IT sector. He is currently an assistant professor in the Management Information Systems Department of Bogazici University (Istanbul, Turkey).
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2013 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.