Checklist Thinking in a Breach-Driven World

Most organizations say they follow IT governance frameworks, but far fewer step back to consider which framework they are actually using. Some frameworks are designed to run operations on the ground, while others are meant to guide oversight, accountability, and strategic direction. Both matter, but they solve very different problems.

The real issue is not a shortage of frameworks. It is how disconnected they often are in practice. Operational teams may be deeply aligned with ITIL (Information Technology Infrastructure Library)[1] or the NIST Cybersecurity Framework (CSF) 2.0, focusing on service delivery and risk management in real time.[2] At the same time, boards and executives may rely on COBIT or enterprise risk models to guide oversight. When these layers are not connected, the organization starts to drift. Processes can become efficient but misaligned with business priorities, while governance remains theoretical and removed from day-to-day execution.

This gap is where many organizations struggle. Strong operations do not automatically translate into effective governance, and well-defined governance does not guarantee impact on the ground. This article breaks down the two categories of frameworks, explains where each falls short, and uses real-world examples to show why integration is not optional but necessary.

Industry and process-specific frameworks

Industry- and process-focused frameworks play a critical role in maintaining technology environments that are stable, secure, and aligned with external expectations. Frameworks such as ITIL 4 provide structured approaches to service management,[3] while the NIST CSF helps organizations organize how they identify, assess, and respond to cyber risk.[4] Standards such as PCI-DSS, HIPAA, and CMMC further support compliance with regulatory and contractual obligations.

In practice, these frameworks bring order to complex environments. They reduce variability in how work is performed, improve incident response consistency, and help limit the frequency and impact of system disruptions. They also make assurance activities more straightforward, as audits can focus on whether defined processes exist and are operating as intended. For many CIOs and CISOs, these frameworks are embedded in the daily rhythm of managing IT and cybersecurity.

However, their strength is also their limitation. These frameworks are designed to guide execution, not governance. They do not address who is responsible for defining risk appetite, nor do they ensure that technology decisions are aligned with broader business priorities. As a result, organizations can operate with a high degree of process maturity while still lacking strategic direction.

Queensland Health’s experience in Australia illustrates this gap. The organization operated under a centralized IT service management model aligned with ITIL. Yet, a routine data center upgrade resulted in a major outage that disrupted access to critical clinical systems across the state.[5] The issue was not the absence of process, but the absence of governance emphasis on resilience and oversight. This highlights a broader point: Strong operational frameworks do not eliminate risk on their own. Without clear executive accountability and a deliberate focus on resilience, even well-managed environments remain exposed to significant disruption.

Consolidated governance frameworks

Consolidated governance frameworks operate at a different level than operational models. They are designed for boards and executive leadership, focusing on direction, oversight, and accountability rather than the mechanics of day-to-day execution. Frameworks such as COBIT 2019 link technology initiatives to business objectives,[6] while COSO-based risk approaches integrate technology into broader enterprise risk management.

Their value lies in shaping how decisions are made and who is responsible for them. They push leadership to address fundamental questions. Is technology being used in a way that supports the organization’s objectives? Are investments aligned with strategic priorities? Is risk being understood and managed at the right level? These are governance questions that cannot be answered through process alone.

Recent public sector failures highlight why this distinction matters. The inquiry into Canada’s Phoenix Pay System, for example, pointed to breakdowns in governance and oversight as key drivers of the failure.[7] The issue was not simply how processes were executed, but how decisions were made, challenged, and monitored at the leadership level.

Governance frameworks are not designed to run operations. They do not provide the level of detail needed to restore a failed service or coordinate a response to a cyber incident. An organization can adopt COBIT and still struggle with service instability or ineffective incident response if its operational frameworks are weak or disconnected. Governance sets direction, but without strong execution beneath it, that direction does not translate into results.

Why single-framework adoption fails

The Queensland Health incident clearly highlights this issue. On paper, the organization followed recognized practices. Change management was in place. Incident processes were defined. Service delivery was structured. Still, a routine data center upgrade led to a major outage that disrupted critical clinical systems. The gap was not in the processes themselves. It was in governance. Risk ownership and investment decisions were not clearly tied to enterprise priorities, and executive visibility was limited. Strong processes existed, but they lacked effective oversight.

The reverse situation is just as common. Some organizations build out governance frameworks, define roles through RACI models, and align technology risks with enterprise risk management. From a reporting perspective, everything appears structured. However, operations remain inconsistent. Outages continue, projects fail, and control gaps persist. The issue is that governance does not translate into execution. Frameworks such as ITIL or the NIST CSF may exist within teams, but they are not connected to how decisions are made at the top. As a result, the strategy looks sound, but the day-to-day activity does not reflect it.

A third challenge appears in organizations that focus heavily on compliance frameworks such as PCI-DSS, HIPAA, or CMMC. Effort is directed toward meeting external requirements, often in a structured, disciplined manner. However, these activities are not always linked to broader governance or operational priorities. Compliance becomes routine rather than strategic. The organization meets requirements but does not necessarily improve how it manages risk or builds resilience.

What integration looks like in practice

Integration begins when leadership recognizes that governance and operational frameworks serve different purposes and need to be deliberately connected. Operational frameworks explain how work is performed. Governance frameworks define why it is performed, who is accountable, and how outcomes are evaluated. When these are linked, organizations gain visibility from board-level decisions through to operational performance and back again.

Some organizations have already taken this approach. A U.S. defense contractor working toward CMMC requirements combined COBIT for governance, ITIL for service management, and the NIST framework for security. Rather than treating these as separate initiatives, they brought them together into a single model.

To understand how this works, it is useful to look at the role each framework plays. The Cybersecurity Maturity Model Certification (CMMC) program, developed by the U.S. Department of Defense, requires contractors to demonstrate cybersecurity practices based on the sensitivity of the information they handle. It defines three levels, ranging from basic protection of Federal Contract Information to more advanced controls for Controlled Unclassified Information. Its requirements are built on standards such as NIST SP 800-171 and 800-172, which make certification measurable and tied to contract eligibility.

ITIL 4 serves a different purpose. It focuses on how services are delivered and improved. Its Service Value System helps teams organize activities, manage practices, and maintain consistent service delivery. It does not define governance structures or enterprise risk decisions.

COBIT 2019 operates at the governance level. Maintained by ISACA, it helps organizations determine what should be governed and how management should support business objectives. It provides a structure for evaluating performance, managing risk, and aligning technology with enterprise goals.

Together, these frameworks operate as complementary layers: CMMC defines required cybersecurity outcomes, ITIL supports consistent service delivery, and COBIT connects both to business priorities, risk oversight, and accountability. This alignment allows the organization to meet CMMC requirements and internal audit expectations without adding unnecessary complexity.[8]

The U.S. defense contractor’s experience shows how integration works in practice. Instead of treating CMMC as a stand-alone compliance exercise, leadership started with a basic question: Where do we stand today? Using COBIT, they assessed business objectives, risks, and current capabilities. This exposed gaps that were not visible at the operational level, particularly in incident response and executive awareness of cyber risk.

As teams worked through the assessment, connections between frameworks became clear. Roles were defined more precisely. COBIT established accountability and oversight. ITIL supported day-to-day service delivery. The NIST framework structured security controls. What emerged was not three separate frameworks, but a coordinated model that linked executive direction with operational execution.

Once gaps were identified, the focus shifted to alignment. The organization did not rebuild its environment. Instead, it mapped existing processes and controls to CMMC requirements using simple crosswalks and responsibility assignments. Shared metrics were introduced to enable consistent reporting of operational performance to leadership. Using the Govern function within the NIST CSF more closely tied risk decisions to daily activities. Progress was tracked through defined quarterly targets linked to both compliance and risk reduction.

This approach worked because it was practical. It built on existing processes, clarified ownership, and ensured that governance decisions were reflected in how work was carried out.

Regulators are also moving in this direction. In Canada, OSFI’s B-13 guideline expects a clear linkage between board oversight and operational resilience.[9] In the United States, SEC cybersecurity rules emphasize governance and disclosure at the board level.[10] In Europe, DORA, Europe’s Digital Operational Resilience Act, connects operational resilience, third-party risk, and service delivery. None of these frameworks prescribes a single model. They assume that organizations will integrate governance, risk, and operations coherently.

What good governance looks like

When integration is working, it shows up across the organization. At the board level, discussions about cyber risk, technology risk, and business performance are aligned. COBIT helps directors frame the right questions and hold management accountable.[11]^,[12] Risk and audit committees gain a clearer view of how technology supports strategy and where the most significant exposures exist.

At the management level, governance expectations are translated into operational priorities. Decisions on service improvements or cybersecurity investments are assessed against business objectives and risk appetite, rather than treated as isolated technical choices. Governance frameworks guide what matters most. Operational frameworks determine how that work gets done.

At the front line, teams rely on ITIL, the NIST framework, and other control sets, but their work connects back to governance decisions. Operational metrics align with board-level risk indicators. Security controls support enterprise risk reporting rather than existing as stand-alone technical measures. In this model, governance is not treated as a separate activity. It becomes part of how the organization operates day to day.

Conclusion

The question is no longer which framework an organization should adopt. Most already have COBIT, ITIL, the NIST CSF, or industry standards in place. The real issue is how, or whether, these frameworks are connected.

On their own, operational frameworks create structure but not direction. Governance frameworks provide oversight but do not ensure execution. When they operate separately, gaps are inevitable. Processes run, but not always in support of strategy. Governance exists but does not influence day-to-day decisions.

Organizations that manage this well take a different approach. They treat frameworks as parts of a single system. Governance sets direction and defines accountability. Operational frameworks carry that direction into execution. Integration ensures the two stay aligned as conditions change.

That is the difference in practice. Some organizations meet requirements. Others use governance to actively steer performance, risk, and outcomes. In a risk environment that continues to evolve, that distinction becomes harder to ignore.

References

• PeopleCert, ITIL® Foundation: The Language of Growth (2026). https://www.axelos.com/best-practice-solutions/itil
• ISACA, COBIT 2019 Framework: Introduction and Methodology (2019).https://www.isaca.org/resources/cobit
• National Institute of Standards and Technology, NIST Cybersecurity Framework (CSF) 2.0 (2024 draft). https://www.nist.gov/cyberframework
• Research Gate, Implementing IT Service Management: A Case Study focusing on Critical Success Factor (2013). https://www.researchgate.net/publication/259078758_Tan_CaterSteel_Toleman_JCIS_Winter_2009
• Office of the Auditor General of Canada, Building and Implementing the Phoenix Pay System (2018).https://publications.gc.ca/site/eng/9.864945/publication.html
• U.S. Department of Defense, Cybersecurity Maturity Model Certification (CMMC) Version 1.0 (2020). https://dodcio.defense.gov/CMMC/ 
• Office of the Superintendent of Financial Institutions (OSFI), B-13: Technology and Cyber Risk Management guideline (2022).https://www.osfi-bsif.gc.ca/Eng/fi-if/rg-ro/gdn-ort/gl-ld/Pages/b13.aspx
• U.S. Securities and Exchange Commission (SEC), Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (2023).https://www.sec.gov/news/press-release/2023-13