What is the difference between COBIT and ITIL?
COBIT (Control Objectives for Information and Related Technologies) and ITIL (IT Infrastructure Library) serve different but complementary purposes in IT governance and management. COBIT is primarily a governance and audit framework developed by ISACA, focused on aligning IT with business objectives, managing risk, and ensuring regulatory compliance -- it answers the question "are we doing the right things?" ITIL is a service management best-practice framework, now owned by PeopleCert, that provides guidance on how to design, deliver, and improve IT services -- it answers the question "are we doing things right?" Both frameworks reference each other explicitly; ITIL 4 mentions COBIT as a complementary framework, and COBIT 2019 references ITIL as a component practice.
For certification exam candidates, few distinctions cause more confusion than COBIT versus ITIL. Both appear in IT governance and management job descriptions. Both feature heavily in senior IT management certifications. Both reference each other's material. And in many organizations, practitioners work under both frameworks simultaneously without always realizing it.
Understanding the precise differences -- and the specific ways each framework addresses its domain -- is essential for passing exams that reference both, including the ITIL 4 DPI module, the ITIL 4 DITS module, the COBIT 2019 Foundation exam, and the ISACA CGEIT certification. This guide provides a rigorous, exam-focused comparison that will help candidates answer questions correctly whether the exam is ITIL, COBIT, or both.
Framework Origins and Purpose
COBIT: The Governance Framework
COBIT was first published in 1996 by ISACA (Information Systems Audit and Control Association), originally as a set of control objectives for IT auditors. The framework has evolved through six versions, with the current version being COBIT 2019, published in 2018.
COBIT 2019's core purpose is to help enterprises achieve effective governance of enterprise IT (EGIT). It provides a comprehensive framework for assessing governance needs, designing a governance system, and evaluating whether that system is performing as intended.
The COBIT 2019 framework has two primary publications:
- COBIT 2019 Framework: Introduction and Methodology -- the core framework
- COBIT 2019 Design Guide -- how to tailor COBIT to a specific organization
- COBIT 2019 Implementation Guide -- how to implement and improve a governance system
ITIL: The Service Management Framework
ITIL was first published in the late 1980s by the UK government's Central Computer and Telecommunications Agency (CCTA) as a library of IT infrastructure best practices for government agencies. It has evolved through four major versions, with ITIL 4 being the current version, published in 2019 and managed by PeopleCert (which acquired the framework from Axelos in 2021).
ITIL 4's core purpose is to provide guidance on how to create, deliver, and support IT-enabled services that deliver value to organizations and their customers. It is centered on the Service Value System (SVS), which describes how all components of an organization work together to enable value creation through IT services.
The Governance vs. Management Distinction
The most important conceptual distinction between COBIT and ITIL is the governance vs. management boundary. Both COBIT and ITIL 4 make this distinction explicitly, and both COBIT exams and ITIL 4 exams test whether candidates understand it.
The COBIT Definition
COBIT 2019 defines:
- Governance: Evaluates stakeholder needs, conditions, and options to determine balanced, agreed-upon enterprise objectives; sets direction through prioritization and decision making; and monitors performance and compliance against agreed-upon direction and objectives.
- Management: Plans, builds, runs, and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives.
COBIT structures its guidance around five governance objectives (EDM domain) and 35 management objectives (APO, BAI, DSS, MEA domains).
The ITIL 4 Definition
ITIL 4 uses identical governance and management concepts but frames them differently:
- Governance is one of the five components of the Service Value System. It consists of three activities: Direct, Control, and Communicate.
- Management is performed through the Service Value Chain and the 34 ITIL 4 practices.
"The governance/management distinction is not COBIT's invention -- it comes from corporate governance theory. But COBIT operationalizes it more rigorously for IT than any other framework. ITIL 4 adopts the distinction but applies it within the service management context rather than the full enterprise governance context." -- Steven De Haes, co-author of COBIT and professor at University of Antwerp
Framework Structure Comparison
COBIT 2019 Structure
| Component | Description |
|---|---|
| Governance Objectives | 5 objectives in the EDM domain (Evaluate, Direct, Monitor) |
| Management Objectives | 35 objectives across APO, BAI, DSS, MEA domains |
| Design Factors | 11 factors that shape governance system design |
| Focus Areas | Thematic areas providing additional guidance (DevOps, cloud, cybersecurity) |
| Capability Levels | 0-5 scale for assessing practice maturity |
The 40 COBIT governance and management objectives are the framework's core. Each objective has:
- A purpose statement
- Governance/management components (practices, activities, information flows, people/roles, policies/procedures, culture/ethics, services/infrastructure/applications)
- Capability level definitions (what "good" looks like at each maturity level)
ITIL 4 Structure
| Component | Description |
|---|---|
| Service Value System (SVS) | The overarching model |
| Guiding Principles | 7 universal recommendations |
| Governance | 3 activities: Direct, Control, Communicate |
| Service Value Chain | 6 interconnected activities |
| Practices | 34 practices across general, service, and technical management |
| Continual Improvement | Embedded across all SVS components |
ITIL 4's 34 practices are its operational core. Each practice has:
- A purpose statement
- A practice success factor (PSF) in the detailed practice guides
- Key performance indicators (KPIs)
- Information flows and interactions with the service value chain
Certification Comparison
COBIT 2019 Certifications (ISACA)
| Certification | Prerequisites | Exam Format | Pass Mark |
|---|---|---|---|
| COBIT 2019 Foundation | None | 75 questions, 120 min | 65% (49/75) |
| COBIT 2019 Design & Implementation | Foundation | 78 questions, 120 min | 65% (51/78) |
| CGEIT (Certified in Governance of Enterprise IT) | Foundation + 5 years experience | 150 questions, 240 min | 450/800 scaled score |
The CGEIT is the senior ISACA governance certification. It is experience-gated and requires demonstrated enterprise IT governance leadership. It is analogous in seniority to ITIL 4 Strategic Leader.
ITIL 4 Certifications (PeopleCert)
| Certification | Prerequisites | Exam Format | Pass Mark |
|---|---|---|---|
| ITIL 4 Foundation | None | 40 questions, 60 min | 65% (26/40) |
| ITIL 4 Practitioner Modules | Foundation | 30 questions, 60 min | 70% (21/30) |
| ITIL 4 Managing Professional | Foundation + 4 MP modules | (4 separate exams) | 70% each |
| ITIL 4 Strategic Leader | Foundation + DPI + DITS | (2 separate exams) | 70% each |
The key difference: COBIT certifications require demonstrated experience for senior-level credentials (CGEIT). ITIL 4 certifications above Foundation require only exam completion -- though the DPI and DITS exams contain content that is much more accessible to candidates with relevant experience.
How the Frameworks Interact
One of the most testable topics in both ITIL 4 and COBIT exams is how the two frameworks complement each other. This is not an abstract question -- real organizations use both simultaneously.
COBIT Governs What ITIL Delivers
The typical enterprise deployment model is:
- COBIT sets the governance objectives -- for example, the APO09 objective "Manage Service Agreements" describes what governance requires from service level management
- ITIL 4 Service Level Management practice provides the operational guidance for how to achieve that objective
- COBIT capability level assessment evaluates whether the ITIL 4 practices are achieving the required governance objectives
In this model, COBIT defines the what (what governance outcomes are required) and ITIL defines the how (how service management practices deliver those outcomes).
"I've seen organizations implement ITIL brilliantly and still fail COBIT assessments because their governance board was not receiving the right information in the right format. ITIL gave them excellent practices. COBIT asked whether those practices were producing the right governance outcomes. Both questions matter." -- Kevin Holland, ITIL author and consultant
Mapping COBIT Objectives to ITIL 4 Practices
| COBIT 2019 Management Objective | Corresponding ITIL 4 Practice |
|---|---|
| APO09: Manage Service Agreements | Service Level Management |
| DSS01: Manage Operations | Monitoring and Event Management |
| DSS02: Manage Service Requests and Incidents | Incident Management + Service Request Management |
| DSS03: Manage Problems | Problem Management |
| BAI06: Manage IT Changes | Change Enablement |
| BAI09: Manage Assets | IT Asset Management |
| BAI10: Manage Configuration | Service Configuration Management |
This mapping is not one-to-one -- COBIT objectives span multiple ITIL practices, and ITIL practices contribute to multiple COBIT objectives. But the mapping helps organizations understand how their ITSM investments relate to their governance obligations.
Exam Preparation: COBIT 2019 Foundation
For candidates adding COBIT 2019 Foundation to their ITSM certification portfolio, the following topics require focused attention:
The design factors -- COBIT 2019 introduced 11 design factors that organizations should consider when designing their governance system. These include enterprise strategy, IT risk profile, current IT issues, size of the enterprise, and regulatory environment. Exam questions frequently test whether candidates can identify which design factors are relevant in a given scenario.
The five governance objectives -- the EDM domain's five objectives (EDM01-EDM05) cover ensuring governance framework setting and maintenance, benefits delivery, risk optimization, resource optimization, and stakeholder engagement. These are the most frequently tested objectives in the Foundation exam.
The capability levels -- COBIT 2019 uses a 0-5 capability scale where level 0 indicates the practice does not exist, level 1 indicates an incomplete process, and levels 2-5 indicate increasing sophistication. The exam tests whether candidates understand what each level means and what evidence is required to demonstrate each level.
Which Certification to Pursue First?
For most IT professionals beginning their certification journey, the recommended sequence is:
- ITIL 4 Foundation -- builds the service management vocabulary and framework knowledge that makes COBIT easier to understand
- COBIT 2019 Foundation -- adds governance framework knowledge that complements ITIL's operational focus
- ITIL 4 Managing Professional or Strategic Leader -- depending on career direction
- COBIT 2019 Design & Implementation or CGEIT -- for senior governance roles
The two frameworks use similar vocabulary (governance, management, value, risk) but assign it precise meaning that can differ. Candidates who study one framework before the other benefit from recognizing shared concepts while carefully noting definitional differences.
Frequently Asked Questions
Do COBIT and ITIL certifications count toward each other's certification tracks?
No. COBIT certifications are managed by ISACA and ITIL certifications are managed by PeopleCert. They operate entirely separate certification schemes with no credit transfer between them. Holding ITIL 4 Foundation does not reduce what is required for COBIT 2019 Foundation, and vice versa. However, the content knowledge from one framework significantly aids preparation for the other.
Which certification is more valued by employers: COBIT or ITIL?
This depends entirely on the role. ITIL certifications are more widely recognized in IT service management and operations roles -- service desk, incident management, change management, and ITSM tool administration roles often list ITIL as preferred or required. COBIT certifications are more valued in IT audit, governance, risk management, and compliance roles. Senior IT leadership roles (CIO, IT Director, Head of Governance) benefit from both. ITIL is more widely held globally; COBIT Foundation and CGEIT are niche but highly regarded in governance-intensive industries.
Is ITIL 4's DPI module essentially a COBIT-equivalent within the ITIL scheme?
The DPI (Direct, Plan and Improve) module covers governance, direction-setting, and organizational improvement in a way that has significant conceptual overlap with COBIT. However, DPI is not a COBIT equivalent -- it applies governance concepts within the ITIL 4 service management context rather than providing the full enterprise IT governance framework that COBIT offers. Candidates who pass DPI will find COBIT 2019 Foundation more accessible, but DPI does not substitute for COBIT certification in roles that specifically require COBIT expertise.
References
- ISACA. (2018). COBIT 2019 Framework: Introduction and Methodology. ISACA.
- ISACA. (2018). COBIT 2019 Design Guide. ISACA.
- Axelos. (2019). ITIL 4 Foundation: IT Service Management. TSO.
- Axelos. (2021). ITIL 4 Strategist: Direct, Plan and Improve. TSO.
- De Haes, S., Van Grembergen, W., & Debreceny, R. (2013). COBIT 5 and Enterprise Governance of IT. Journal of Information Systems, 27(1), 307-324.
- Holland, K. (2022). COBIT and ITIL: Complementary Frameworks in Practice. Pink Elephant International.
- ISACA. (2023). COBIT 2019 Foundation Exam Candidate Guide. ISACA.
- PeopleCert. (2023). ITIL 4 and Complementary Frameworks. PeopleCert Ltd.
- IT Governance Institute. (2007). COBIT Mapping: Mapping ITIL v3 with COBIT 4.1. ITGI.
- Weill, P., & Ross, J. W. (2004). IT Governance. Harvard Business School Press.