Phần 1: Thực hiện triển khai xây dựng ITSM - ITIL Helpdesk Server:

DEPLOY INSTALL A ITIL - ITSM - HELPDESK - IT ASSETS SERVER:

• Phiên bản April.2024: 10.0.15: wget https://raw.githubusercontent.com/PhDLeToanThang/itil-helpdesk/master/Advanced/deploy_itsm_v10015.sh && sudo bash deploy_itsm_v10015.sh

Dưới đây là danh sách các vấn đề bảo mật đã được khắc phục trong phiên bản sửa lỗi 10.0.15 này:

• Lỗ hổng SQL injection từ tìm kiếm bản đồ khi đã đăng nhập (CVE-2024-31456)

• Lỗ hổng chiếm đoạt tài khoản thông qua SQL Injection trong tính năng tìm kiếm đã lưu (CVE-2024-29889) Ngoài ra, đây là danh sách ngắn các thay đổi chính được thực hiện trong phiên bản này:

• Khắc phục quyền sử dụng bởi biểu mẫu đặt chỗ.

• Không dựa vào đầu vào để áp dụng quyền cho các quy tắc.

• Luôn lưu trữ mã thông báo làm mới SMTP Oauth đã cập nhật.

• Nâng cấp tinymce.

• Phiên bản Mar.2024: 10.0.14: wget https://raw.githubusercontent.com/PhDLeToanThang/itil-helpdesk/master/Advanced/deploy_itsm_v10014.sh && sudo bash deploy_itsm_v10014.sh

• Phiên bản Feb.2024: 10.0.12: wget https://raw.githubusercontent.com/PhDLeToanThang/itil-helpdesk/master/Basic/deploy_itsm_v10012.sh && sudo bash deploy_itsm_v10012.sh

• Phiên bản mới nhất Dec.2023: 10.0.10: wget https://raw.githubusercontent.com/PhDLeToanThang/itil-helpdesk/master/Basic/deploy_itsm_v10010.sh && sudo bash deploy_itsm_v10010.sh

• Phiên bản 6 tháng trước: 10.0.9:

wget https://raw.githubusercontent.com/PhDLeToanThang/itil-helpdesk/master/Basic/itil-10-0-9_deploy.sh && sudo bash itil-10-0-9_deploy.sh

• Phiên bản cũ 2 năm trước: 10.5:

wget https://raw.githubusercontent.com/PhDLeToanThang/itil-helpdesk/master/Basic/itil-deploy.sh && sudo bash itil-deploy.sh

Phần 2: Lý thuyết tổng thể về ITSM - ITAM - ITIL Helpdesk và các tiêu chuẩn ngành COSO - COBIT - ITIL - PCI:

ITIL - Helpdesk:

IT SAM - IT Asset - ITIL - Helpdesk - Ticket - KB - Troubleshoot - Proposale Internal IT Lead ISO vs Audit

Chapter 1. Introduction ITL -Helpdesk:

I. IT Asset Management:

IT organizations manage a large amount of the company’s total assets. IT assets are extremely costly to manage and maintain. As a result, asset management plays a major role in helping organizations in fulfilling the requirements of users and business functions.

IT asset management (ITAM) provides an accurate account of technology asset lifecycle costs and risks to maximize the business value of technology strategy, architecture, funding, contractual and sourcing decisions.”

This definition points out that ITAM is not just about collecting the assets, it is not just about carrying assets, it is about using the right information at the right time that is obtained to drive better decision making. This ITAM software will be the best solution that helps businesses in focusing on the informational value of IT asset data to get the best business value.

Asset tracking system is an important part of an IT organization, as it ensures that companies have control over their applications and hardware, have a complete overview of the assets, where they are being used, and how often they are being used.

- IT Asset Management and ITIL: ITIL and asset management is a partnership ensuring you’re planning and managing the relationships between your IT assets and service tickets or requests. The ITIL framework is a set of best practices providing the foundation for better IT service management (ITSM). Incorporating the best practices of ITIL gives you the ability to manage your IT assets in real time with a full understanding of how incidents, problems, changes, and releases impact your assets through an integrated service desk. IT asset management solutions coupled with ITIL best practices reduce business risk by alerting IT of potential software security problems and threats. The goals of ITIL and asset management software include:

1. Acquiring appropriate IT assets while keeping costs low and benefits high
2. Optimizing the use of each IT asset
3. Disposing of IT assets when cost of maintaining them exceeds their benefits
4. Providing information necessary for regulatory compliance, license renewal, and contract renewal

ITIL asset management allows for more effective incident and problem management, which can improve resolution rates and reduce resolution times. It also makes it easier to move, add, or change configurations by connecting service information to specific assets. A good asset management strategy makes it easier to track software licenses and warranties so that your business can avoid unnecessary repair charges or fines for breaching service level agreements (SLAs). This helps keep ITSM costs down.

- Benefits of Asset Management Solutions: IT asset management (ITAM) software allows businesses to:

1. Manage asset compliance
2. Have greater asset visibility
3. Increase accountability
4. Reduce unnecessary purchases
5. Redeploy IT assets quicker
6. Manage contract service levels
7. Automate contract renewal
8. Improve budgeting
9. Improve management of depreciable assets
10. Reduce payments made due to ignorance of warranty status
11. Better measure and control IT costs
12. Manage every asset from requisition through retirement

The IT asset management software benefits greatly from being as automated as possible. Track and tag hundreds of different hardware properties, software titles, and user and location history from your Windows, iOS, and Chrome OS devices. Save time and keep records up to date in a single location by compiling vendor data, warranties, lease terms, and agreements. Expedite break-fixes and changes within service desk tickets by automatically capturing and gathering each asset’s incident history.

II. ITIL Knowledge Management | ITIL Foundation | ITSM:

What is ITIL Knowledge Management Process? The Knowledge Management (KM) or Knowledge Base (KB) Process is one of the main processes under Service Transition module of the ITIL Framework. As described in ITIL v4 documentation, it is the process of creating, sharing, using and managing the knowledge and information of an organization. The ITIL Knowledge Management Process helps the organizations to achieve their goals by making the best use of knowledge. Many large companies already have dedicated teams for managing organizational knowledge.

ITIL Knowledge Management Scope: ITIL Knowledge Management (ITIL KM or ITIL KB) is the central process that receives input from all other ITSM processes and responsible for providing supporting knowledge to all of the ITSM processes when required. Hence, it is defined that this process interacts with every other process of the IT Service Management (ITSM) Framework.

ITIL Knowledge Management Objective: The primary objective of ITIL Knowledge Management Process is to collect, analyze, store and share knowledge and information within an organization. It also reduces the need for rediscovering knowledge, hence improves the service efficiency. This process is also responsible for maintaining the service knowledge management system (ITIL SKMS or ITIL KBs), which symbolizes the total body of knowledge within the organization. Here the objective is to capture, arrange, classify, and store every bit of organizational knowledge and made them available where needed.

Benefits of Using ITIL Knowledge Management: By implementing knowledge management (ITIL V4) practices in your organization, you can improve the IT team's overall capability and provide better service to users. Some of the benefits of this process are:

Reductions the amount of time that must be spent on training employees. Since your team will consistently receive precise and up-to-date information, they will require fewer formal training to meet the performance expectations.

Decreases the number of errors that are made by team members. If your team has the adequate source of knowledge that is needed to take formal decisions, then they are far less likely to go outside the track.

Implementation of the ITIL Knowledge Management process cuts down the effort to complete any steps of the service process more than once. When everyone would have process awareness, it is less likely that a known step will be performed incorrectly.

Availability of instant knowledge allows the IT professionals to respond to customer demands faster and more effectively. Your employees will know the way to answer customer questions more efficiently, thus reducing the number of times you have to intervene or respond to a negative feedback about the lack of knowledge of your team members.

The relevant part of knowledge stored in the SKMS can be made available to the end user by creating a user portal. Thus creating a self-help service desk portal for common users. This can significantly decrease the pressure on the service desk associates, which will eventually increase the quality of service.

The DIKW Model of ITIL Knowledge Management: The DIKW Model (also known as DIKW Pyramid, DIKW Hierarchy, Data pyramid, Knowledge Hierarchy) is a hierarchical model for representing the flow of data through information, knowledge, and wisdom.

In this model, the “D” stands for Data, “I” stands for Information, “K” stands for Knowledge, and “W” stands for Wisdom. The reference model has been shown below:

Data: Data is the collection of discrete facts about events, received as inputs from the processes. Data basically consists of symbols or signs, representing stimuli or signals that are of no use until processed.

Information: Information is processed data. It comes from providing context to data or by asking questions on the data. This typically requires capturing of various sources of data and applying some meaning or relevance to the set of facts. Information tries to answer the question “Who? What? When? Where?”.

Knowledge: Knowledge is a more derived form of data. It is composed of the concepts, experiences, ideas, insights values and judgments of individuals with a clear reference to the information. This usually requires the analysis of information and helps in decision making. Knowledge tries to answer the question “How?”.

Wisdom: Wisdom gives the ultimate insight of the data. It describes the application of knowledge and provides contextual awareness to generate a strong common sense judgment. The use of wisdom enables an organization to manage its strategy and growth in competitive market spaces. Wisdom tries to answer the question “Why?”.

What is Service Knowledge Management System (SKMS) or SKBs in ITIL? As defined in ITIL v4, the Service Knowledge Management System (SKMS) or SKBs is the central repository of the data, information, and knowledge that the IT organization needs to manage the lifecycle of its services.

The SKMS/SKBs is not necessarily to be a single system and usually formed by merging multiple discrete systems & data sources. The main purpose of SKMS (ITIL V4) is to store, analyze and present the service provider's data, information and knowledge in a structured manner.

The Relationship between CMDB, KEDB, CMS, and SKMS: The SKMS/ SKBs is closely related to CMDB, KEDB, and CMS. These act as three levels of data processing. The CMDB captures & record the configuration data and KEDB Records Known errors, the CMS arranges these records in a manageable structure and then that processed information feeds into the SKMS/SKBs. Using these stored information SKMS/SKBs supports delivery of the services and helps to provide relevant information for decision-making. Below Image describes the relationship among them:

ITIL Knowledge Management Activities: The knowledge management (ITIL V4) process has some defined activities that needs to be performed for its successful implementation, those are:

1) Knowledge Management Strategy: Your organization must have defined strategy for identifying the information that needs to be processed by ITIL Knowledge Management process. Your strategy should clearly identify the types of information that need to be passed to the knowledge management. You may choose any parameter as per your business requirement, but all of these strategic identifiers should have been documented to ensure that every team member understands what is expected. For example, A lot of organization describes the feedback from customers, repeated incident reports, and the support costs as key data that needs to be analyzed by this process.

2) Knowledge Transfer: Once you have decided your strategy, you will have to determine the process on how the knowledge will be transferred to other team members or departments. The initial step in knowledge transfer activity is identifying the communication gaps so that you can eliminate them before transferring the knowledge to all the concerned stakeholders. It is absolutely necessary to create a well-defined communication plan for circulating information across all channels during this activity.

3) Information Management: Information can only become knowledge if it is properly processed, managed, and distributed across your team. Instant access to the specific and relevant information is also essential for the success of the ITIL Knowledge Management process. Information management activity is a critical part of the whole process that involves data collection, information management, and determining how this information will be translated to become the knowledge. You should first define a process to organize this information and then record it in a manual as a policy or procedure, so that your team members can access it as and when needed.

4) Management of SKMS: We already know that the ITIL SKMS / ITIL SKBs is a group of systems, tools, and databases needed for successful implementation of knowledge management. This is the system you should use to store, update, and manage data on a regular basis. Your team members should have the appropriate right to access information through the SKMS/ SKBs system at any point in time. So, the management of SKMS/SKBs should have the maximum importance for an organization. ITIL Knowledge Management Sub-Process: There is no defined sub-process of this process. Refer to the below diagram describing the ITIL Knowledge Management Process Flow:

ITIL Knowledge Management Roles and Responsibilities: Knowledge Manager: This Knowledge Manager role is the Process Owner of this ITIL Knowledge Management Process. Knowledge Manager ensures that the IT organization is able to collect, analyze, store and share knowledge and information as and when required. The primary goal of Knowledge Manager is to improve efficiency by reducing the need to rediscover knowledge.

II. Problem Management in ITIL 4: What is problem management? The purpose of problem management is to reduce the likelihood and impact of incidents by identifying actual and potential causes of incidents, and managing workarounds and known errors. Problems are related to incidents, but it is important to differentiate them in the way they are managed:

1. Incidents have an impact on users or business processes, and must be resolved so that normal business activity can take place.
2. Problems are the causes of incidents therefore they require investigation and analysis to identify the causes, develop workarounds, and recommend longer-term resolution. This reduces the number and impact of future incidents.

3 phases of problem management Problem management involves three distinct phases:

1. Problem Identification Problem identification activities identify and log problems by:

1. Performing trend analysis of incident records.
2. Detecting duplicate and recurring issues.
3. During major incident management, identifying a risk that an incident could recur.
4. Analyzing information received from suppliers and partners.
5. Analyzing information received from internal software developers, test teams, and project teams.

2. Problem Control Problem control activities include problem analysis and documenting workarounds and known errors. Just like incidents, problems will be prioritized based on the risk they pose in terms of probability and impact to services. Focus should be given to problems that have highest risk to services and service management. When analysing incidents, it is important to remember that they may have interrelated causes, which may have complex relationships. Therefore problem analysis should have a holistic approach considering all contributory causes such as those that caused the incident to happen, made the incident worse, or even prolonged the incident. When a problem cannot be resolved quickly, it is often useful to find and document a workaround for future incidents, based on an understanding of the problem. A workaround is defined as a solution that reduces or eliminates the impact or probability of an incident or problem for which a full resolution is not yet available. An example of a workaround could be restarting services in an application, or failover to secondary equipment. Workarounds are documented in problem records, and this can be done at any stage without necessarily having to wait for analysis to be complete. However, if a workaround has been documented early in problem control, then this should be reviewed and improved after problem analysis has been completed. An effective incident workaround can become a permanent way of dealing with some problems, where resolution of the problem is not viable or cost-effective. If this is the case, then the problem remains in the known error status, and the documented workaround is applied when related incidents occur. Every documented workaround should include a clear definition of the symptoms and context to which it applies. Workarounds may be automated for greater efficiency and faster application.

3. Error Control: Error control activities manage known errors, and may enable the identification of potential permanent solutions. Where a permanent solution requires change control, this has to be analysed from the perspective of cost, risk and benefits. Error control also regularly re-assesses the status of known errors that have not been resolved, taking account of the overall impact on customers and/or service availability, and the cost of permanent resolutions, and effectiveness of workarounds. The effectiveness of workarounds should be evaluated each time a workaround is used, as the workaround may be improved based on the assessment.

Problem management and other practices: Incident Management: Activities from these two practices are closely related and may complement each other (e.g. identifying the causes of an incident is a problem management activity that may lead to incident resolution), but they may also conflict (e.g. investigating the cause of an incident may delay actions needed to restore service). Risk Management: Problem management activities aim to identify, assess, and control risks in any of the four dimensions of service management. Therefore, it may be useful to adopt risk management tools and techniques. Change Enablement: Problem management typically initiates resolution via change control and participates in the post-implementation review. However, approval and implementation is outside the scope of problem management. Knowledge Management: Output from the problem management includes information and documentation concerning workarounds and known errors. Also, problem management may utilize information in a knowledge management system to investigate, diagnose, and resolve problems. Continual Improvement: Problem management activities can identify improvement opportunities in all four dimensions of service management. Solutions to problems may be documented in a continual improvement register or added to a product backlog.

People aspects of problem management: Many problem management activities rely on the knowledge and experience of staff, rather than on detailed, documented procedures. Skills and capabilities in problem management include the ability to understand complex systems, and to think about how different failures might have occurred. Developing this combination of analytical and creative ability requires mentoring and time, as well as suitable training of techniques such as Cynefin, Kepner and Tregoe, 5-Whys, Ishikawa diagrams and Pareto analysis among others.

III. Ticket: The service assistance module of GLPI meet the specified standards of ITIL v4, the most widely accepted best practice framework for service management software.

ITIL solution historical: On the main ITIL objects (Tickets, Problems and Changes), the solutions can now be multiple and so historized

A color code is now available to indicate the approval status of the solution:

• orange: Waiting for approval ;
• red: Refused solution ;
• green: Accepted Solution.

Helpdesk

ITIL Roadmap:

IV. ITIL Incident Management:

- What is Incident Management:

An incident is an event that may result in the loss or disruption of an organization’s operations, services or functions. Incident management (ICM) is a term that describes an organization’s activities to identify, analyze, and remediate hazards to prevent them from occurring again in the future.

These events within a structured organization are normally handled by an incident response team (IRT), an incident management team (IMT), or the Incident Command System (ICS). Without effective incident management, an incident can disrupt business operations, information security, IT systems, employees, customers, or other vital business functions.

Without incident management, you could lose valuable data, gain low productivity and revenue due to downtime, or be held liable for breaches of service level agreements (SLAs). Even when incidents are insignificant and cause no lasting damage, IT teams should devote valuable time to investigating and fixing problems.

Some of the most important benefits of implementing an incident management strategy include:

1. Prevention of incidents
2. Improved mean time to resolution (MTTR)
3. Reducing or eliminating downtime
4. Higher data accuracy 5.Improved customer experience

Another benefit of incident management applications is an overall reduction in costs. According to a study by Gartner, system or service downtime can cost organizations up to $ 300,000 per hour. Additionally, legal fines and loss of customer trust can have significant financial implications. With incident management, organizations may have to invest upfront, but avoid significant costs later on.

- The classic incident management activities as outlined in ITIL 4 are:

Successful incident management relies on having a clear understanding of what the customer agreed to or is willing to tolerate regarding the duration and handling of any particular incident. This is usually defined in service level agreements (SLAs) or contracts, which include timelines for responding and resolving incidents based on some criteria, usually priority, as a function of impact and urgency.

- 7 Steps to Automate Incident Management Processes:

- Create an Incident Management Workflow (AKA An Incident Life Cycle):

- Standardize Root Cause Analysis (RCA) and Prioritization:

- Operational incident management requires several key pieces:

A service desk is divided into tiers of support: L1, L2, L3, etc.

L1: The first tier is for basic issues, such as password resets and basic computer troubleshooting. Tier-one incidents are most likely to turn into incident models, since the templates to create them are easy and the incidents recur often. For example, a template model for a password reset includes: The categorization of the incident (category of “Account” and type “Password Reset”, for example) A template of information that the support staff completes (username and verification requirements, in this case) Links to internal or external knowledge base articles that support the incident. Low-priority tier-one incidents do not impact the business in any way and can be worked around by users.

L2: Second-tier support involves issues that need more skill, training, or access to complete. Resetting an RSA token, for example, may require tier-two escalation. Some organizations categorize incidents reported by VIPs as tier two to provide a higher quality of service to those employees. Tier-two incidents may be medium-priority issues, which need a faster response from the service desk.

L3: Correct assignment of tiers and priorities occurs when most incidents fall into tier one/low priority, some fall into tier two, and few require escalation to tier three. Those that require urgent escalation become major Incidents, which require the “all hands on deck” response. Major incidents are defined by ITIL as incidents that represent significant disruption to the business. These are always high priority and warrant immediate response by the service desk and often escalation staff. In the tiered support structure, these incidents are tier three and are good candidates for problem management.

- The incident process:

-Incident response:

6 Goals of Incident Management: The prime goal of incident management is to resolve incidents either with temp fix or perm fix and bring back the IT service. We list here a few steps involved during the incident process.

1.Resolve incidents to reduce downtime to the business The prime goal of incident management is to resolve incidents either with temp fix or perm fix and bring back the IT service. Resolving the incidents firstly requires registering the incident in the ITSM tool with a unique reference number. Categorization of the incident is done based on hardware, software, etc., and then the incident is assigned to the appropriate team or a person to take quick action. The investigation and diagnosis are made. The resolution is implemented by searching knowledge articles or reference materials or KEDB, and once the issue is resolved, the incident is closed.

2.Improve the quality of IT service and increase the availability of the operation of the service: Incident management can improve the quality of IT services by identifying the recurring incidents and logging problem tickets to identify the root cause of the incident/ incidents. If there is any recent incident with no resolution, then a problem ticket is created to identify the root cause and fix it. By identifying the recurring incidents and their associated CI’s, availability management or capacity management or information security management, or continuity management can redefine or revise the respective plans and procedures to improve the delivery of services.

3.Monitoring of services, detecting and mitigating incidents: As the incident management team in many organizations is also involved in monitoring, they will get a complete picture of why the incident occurred, what errors or warnings, or exceptions have occurred. Accordingly, the monitoring team can consolidate the complete information from monitoring and event management tools and inform the problem management team for quicker resolution of unknown incidents.

4.Communicate regarding the progress of the major incidents to all stakeholders The incident management team will communicate the major incidents' progress to the necessary stakeholders from the moment it has been registered to the closure. The incident management team keeps sending notifications regularly after every half an hour or the defined timelines to all the relevant stakeholder giving information on the incident like:

1. What is the incident?
2. What is the priority?
3. When the incident occurred?
4. Where is the incident happening or happened?
5. What is the associated CI?
6. How many people are impacted?
7. Who is working on the issue?
8. Estimated time to resolve the incident

5.Ensure SLA’s don’t breach for any reason: The incident manager and management team will have to ensure the SLA doesn’t breach any of the incident tickets for any reason like 3rd party involvement, negligence of the incident management team, dependency on any other problem, or change ticket.

6.Measure the effectiveness of incident management operations: The incident manager has to track the effectiveness of the incident management operations by defining the metrics and KPI’s (Key Performance Indicators) like:

1. Number of incidents
2. Number of major incidents
3. Number of recurring incidents
4. The average time is taken to resolve the incident
5. The average time is taken to resolve the major incident
6. Incidents that triggered problem tickets
7. Incidents that began change tickets

Chapter 2. Selected functions of ITIL Helpdesk system:

Control Panel: The system includes the basic modules: Resources,Support, Management, Tools and Administration.

Ticket queue:

In the Support module, we gain access to the entire queue of requests. They can be freely filtered with the help of selected rules. You can also create your own "Dashboards" for the convenience of use and the individual needs of the administrator or user.

Centralization:

ITIL Helpdesk is a one system for hardware and ticket management. It provides efficiency and ease of use for managers, administrators, consultants and employees in the company, minimizing the necesity to log into multiple systems.

Organizing assets:

Assets relations:

Establishing the relationship between requests, equipment and users allows you to determine where, what devices are located, what is connected to it, what programs and licenses are used, who is responsible for them, and provides an insight into the history of requests and issues related to with the device.

Transparency:

For each resource, we can define the name, location, assign a person or group responsible for the device, source, status, type, manufacturer, model, serial number and inventory. We can also identify individual device components such as: operating systems, software installed on the device, network connections, hardware reservations, certificates, history and associated budgets, contracts, invoices, warranties and notifications.

Coordination:

The insight into the queue of applications provides full knowledge of all matters in the company and allows you to prioritize them. Thanks to the record of internal and external notifications, the system works well not only in IT departments, but also in other areas of activity, such as sales, customer service or marketing.

Server configuration view:

The Resources module allows, among other things, to add devices installed in RACK cabinets,it provides full knowledge about the hardware located in the cabinets and its configuration without the need to visit the server room.

Chapter 3. Overview of COBIT 5, ITIL 4 and ISO 27001/27002:2022

1. Overview:

Interactions In Between ITIL, COBIT and ISO27001 Many of corporations in nowadays invest to IT Department for keeping benefits of their firms(client, secret fir documents …).Again many of big firms implement ITIL, Cobit and ISO27001 to their IT departments in this invest areas. There are many connections and interactions between these technologies. For show interactions between ITIL, Cobit and ISO27001 i should explain the definitions of these terms. In the first header I will try to express ITIL.

ITIL (Information Technology Infrastructure Library): ITIL, formerly an acronym for Information Technology Infrastructure Library, is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. (ITIL): Responding to growing dependence on IT, the UK Government’s Central Computer and Telecommunications Agency (CCTA) in the 1980s developed a set of recommendations. It recognized that, without standard practices, government agencies and private sector contracts had started independently creating their own IT management practices.

In ITIL 2011 edition ITIL publish 5 main volumes that define ITSM stage which are:

1. ITIL Service Strategy: understands organizational objectives and customer needs.
2. ITIL Service Design: turns the service strategy into a plan for delivering the business objectives.
3. ITIL Service Transition: develops and improves capabilities for introducing new services into supported environments.
4. ITIL Service Operation: manages services in supported environments.
5. ITIL Continual Service Improvement: achieves services incremental and large-scale improvements.

Key benefits of ITIL:

1. Manage business risk and service disruption or failure.
2. Improve and develop positive relationships with your customers by delivering efficient services that meet their needs.
3. Establish cost-effective systems for managing demand for your services.
4. Support business change whilst maintaining a stable service environment. (Axelos, 2016)

COBIT: Control Objectives for Information and Related Technology (COBIT) is a framework created by ISACA for information technology (IT) management and IT governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. ISACA first released COBIT in 1996; ISACA published the current version, COBIT 5, in 2012. (Cobit, 2016)

COBIT has 5 main components which are:

1. Framework
2. Process Description
3. Control Objectives
4. Management guidelines
5. Maturity models

COBIT focuses on the broader decisions in IT management and does not dwell into technical details. It is a framework of best practices in managing resources, infrastructure, processes, responsibilities, controls, etc. It is a good solution when managers are looking for a framework which serves as an integrated solution within itself, rather than having to be implemented along with other IT governance frameworks. However, its biggest short-coming is that it does not give “how to” guidelines to accomplish the control objectives. This is not preferred when the thrust in on correct implementation of security controls. (Arora, 2016)

ISO27001: ISO 27000 series is a family of IS management standards. It is the set of standards in this family that focuses on Information Systems Management (ISM). Initially known as the BS7799 standard, this was included in the set of ISO standards when ISO decided to include ISMS standards as one of the set of ISO standards. As a result of this, the standards’ name/number was adopted and it was called the ISO17799:2005 series. To bring the Information Security Management Systems (ISMS) standard BS7799-2 in line with other IS standards, this standard was included in the ISO 27000 series as ISO 27001. ISO 27001 defines methods and practices of implementing information security in organizations with detailed steps on how these implemented. They aim to provide reliable and secure communication and data exchange in organizations. Also, it stresses on a risk approach to accomplishing its objectives. This standard dives deep into ways to implement its sub objectives. This puts managers who are looking for clarifications on implementation, at an advantage. However, it fails to achieve the goal of integrating into a larger system. It is standalone in its nature, and does not work as a complete ISM solution. (Arora, 2016)

COBIT > ITIL > ISO 27001 (Comparison between COBIT, ITIL and ISO 27001, 2016)

COBIT > ITIL > ISO 27002

2. COBIT - ITIL - ISO 27001/27002:2022 as Consolidator:

Interactions:

1. ITIL was designed as a service management framework to help you understand how you support processes, how you deliver services
2. COBIT was designed as an IT governance model, particularly and initially with audit in mind to give you control objectives and control practices on how that process should behave

• The difference between the two is, COBIT tells you what you should be doing, while ITIL tells you how you should be doing it

• Put COBIT and ITIL together, and you have a very powerful model of what you need to be doing and how you need to be doing it, when it comes to your process management

• Basically ISO gives security, but does not provide to acknowledge of how to integrate them into business process

• ITIL focus IT processes

• COBIT focuses on control and metrics

  So, a combination of all three is usually the best approach. COBIT can be used to determine if the company’s needs are being properly supported by IT.ISO can be used to determine and improve upon company’s security posture. And ITIL can be used to improve IT processes to meet the company’s goals (including security).

(A comparison of the business and technical drivers for ISO 27001, ISO 27002, COBIT and ITIL, 2016)

3. Development COBIT framework [8]:

4. Interrelationships of COBIT Components:

5. The COBIT cube:

6. Standards and frameworks that are used for planning IT audit activity:

7. IT audit in accordance with Cobit standard: In today's market circumstances, the fact that the number of jobs that are taking place with the help of information systems constantly growing is indisputable. Managers often know very little about the information system and in that circumstance it is very difficult to them to effectively perform control function and successfully manage information.

8. ITIL4 - ISO 27001/27002:2022 – COBIT2022 Mapping:

and

and Workflow between COBIT to ITIL:

9. COBIT, ITIL and ISO 27002:2022 The main differences:

How to mapping and compare Key items of COBIT > ITIL > ISO 27002:2022?

Employing COBIT 2019 for Enterprise Governance Strategy:

Mapping of ITIL 4 to COBIT 2019 and the IT4IT standard

Table of Mapping Cobit 5 vs ITILv3 2021

Tư duy COBIT 2019

+Năng lực x +Nhiệt Huyết x +/-Cách tư Duy X +/-Phương pháp Khoa học = Tâm ta là Tạo tác là dẫn đầu các pháp: