Governing Information Security in Conjunction with COBIT and ISO 27001

In this paper, after giving a brief definition of Information Security Management Systems (ISMS), ISO 27001, IT governance and COBIT, pros and cons of implementing only COBIT, implementing only IS0 27001 and implementing both COBIT and ISO 27001 together when governing information security in enterprises will be issued.

💡 Research Summary

The paper begins with a concise overview of Information Security Management Systems (ISMS), the ISO 27001 standard, and the IT governance framework COBIT. ISMS is presented as a set of processes that use the Plan‑Do‑Check‑Act (PDCA) cycle to continuously manage and improve information security. ISO 27001 provides the detailed requirements for implementing an ISMS, defining ten security domains (policy, asset classification, access control, etc.) and mapping each PDCA phase to specific clauses in the standard. COBIT, on the other hand, is described as a comprehensive governance model built around five principles—strategic alignment, value delivery, risk management, resource management, and performance measurement—and organized into four domains (Plan‑Organize, Acquire‑Implement, Deliver‑Support, Monitor‑Evaluate) with 34 high‑level control objectives.

The core of the article compares three implementation scenarios. When only COBIT is adopted, an organization gains a structured governance environment, clear accountability, and tools for aligning IT with business objectives, but it lacks the granular “how‑to” guidance needed for concrete security controls. Implementing only ISO 27001 delivers detailed controls, a recognized certification that signals to customers and insurers that security is managed, and can reduce incident‑related costs; however, ISO 27001 operates largely as a standalone security framework and does not embed itself in a broader IT governance context. The authors argue that the most effective approach is to combine both standards. ISO 27001’s detailed controls can be mapped to COBIT’s high‑level objectives, thereby providing the “what” (COBIT) and the “how” (ISO 27001) in a unified model. This synergy enables organizations to satisfy regulatory and audit requirements while also achieving strategic alignment, performance monitoring, and value delivery.

To illustrate practical challenges, the paper presents a case study of the Turkish National Research Institute of Electronics and Cryptology (TUBITAK UEKAE) that attempted to roll out ISO 27001‑based ISMS in four public bodies. The initiative encountered several obstacles: limited engagement with senior boards, inadequate allocation of dedicated personnel, a misconception that ISMS scope is limited to the IT department, and the belief that external consultants could fully implement the system. These issues highlight a broader cultural problem—security is often perceived as an IT‑only concern rather than an enterprise‑wide governance issue. The authors cite existing mapping research (references