All About COBIT
Everything you need to know about the COBIT framework
March 12 . 11 mins read
The COBIT framework was first introduced by ISACA (Information Systems Audit and Control Association) in 1996 and had the longer name Control Objectives for Information and Related Technologies. It's a framework for managing and governing enterprise IT environments and is defined as "...a framework for the governance and management of enterprise information and technology (I&T), aimed at the whole organization." COBIT offers a wealth of guidance, including best practice guidance, analytical tools, and models designed to help organizations ensure their IT systems are effective, secure, and aligned with business goals.
What is COBIT?
The statement that "COBIT is a framework for managing and governing enterprise IT environments" will likely mean different things to different people. It's, therefore, important to understand more about what this means, starting with the difference between governance and management.
COBIT offers the following definitions to help:
- "Management plans, builds, runs, and monitors activities, in alignment with the direction set by the governance body, to achieve the enterprise objectives."
- "Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives. Direction is set through prioritization and decision making. Performance and compliance are monitored against agreed-on direction and objectives."
Source: ISACA (2018)
COBIT has also evolved since its 1996 origins, with continued changes to its auditing-based roots across the following COBIT versions:
- 1998 - Version 2
- 2000 - Version 3
- 2005 - Version 4
- 2007 - Version 4.1
- 2012 - COBIT 5
- 2018 - COBIT 2019
The COBIT 2019 update in 2018 addressed recent trends in IT, including cloud, DevOps and Agile, the Internet of Things (IoT), and service integration and management (SIAM). It also described what COBIT isn't, that COBIT:
- "Is not a full description of the whole I&T environment of an organization
- Is not a framework to organize business processes
- Is not an (IT) technical framework to manage all technology
- Does not make or prescribe any IT-related decisions."
This latest version of COBIT covers several key IT management areas:
- Ensuring that IT is kept running
- Effective cost management and value optimization
- Aligning IT with the business better
- Compliance
- Benchmarking.
The COBIT framework
COBIT 2019 organizes IT governance and management objectives and practices around a structured framework that includes:
- Principles - COBIT offers governance system and framework principles, which provide the foundation for the organizations adopting it. The governance system and framework principles are shared later.
- Governance and management objectives - COBIT provides five governance objectives and 35 management objectives. Their groupings and examples are shared later.
- Components - COBIT offers seven governance components that describe each governance and management objective. These components are also covered later.
- Goals cascade - this model links higher-level enterprise goals to governance and management objectives. How this is done is shown below.
Source: ISACA, COBIT 2019 (2018) - Design factors - COBIT provides a set of design factors to help organizations determine which COBIT elements are most relevant. These design factors are covered in more detail later.
- Focus areas - there are supplementary guidance publications that help make COBIT relevant to specific focus areas. For example, Small and Medium Enterprises, DevOps, Information Security, and Information and Technology Risk.
- Implementation - ISACA methodologies for COBIT include processes, templates, and directions to help organizations achieve their governance and management objectives.
- Performance management - how well the governance and management system work and can be improved as needed.
The benefits of using COBIT
ISACA states that COBIT 2019 "...defines the components to build and sustain a governance system: processes, policies and procedures, organizational structures, information flows, skills, infrastructure, and culture and behaviors." It's a great elevator pitch, but how will COBIT help your organization beyond improved governance?
The additional benefits of COBIT adoption include:
- Better IT alignment with business objectives - when IT processes and projects are aligned with the organization's strategic goals, it results in better business outcomes and decision-making.
- Increased value delivery - thanks to improved business alignment, organizations are better placed to optimize the value derived from IT.
- Improved stakeholder confidence - with COBIT, IT organizations can better demonstrate their commitment to effective IT governance to stakeholders, increasing stakeholder confidence and trust as a result.
- Enhanced efficiency and effectiveness - standardizing and streamlining IT processes using COBIT best practices helps organizations improve their IT operations, which brings cost savings and better resource utilization.
- Improved risk management - COBIT helps organizations minimize risks across information security, compliance, and operational processes through guidance on identifying, assessing, and managing IT-related risks.
- Increased compliance - COBIT helps organizations comply with relevant laws, regulations, and contractual agreements, reducing the risk of penalties, legal issues, and reputational damage.
- Better information security (InfoSec) - COBIT provides InfoSec controls and practices to improve the confidentiality, integrity, and availability of information.
So there you have it, everything you need to know about the DevOps Lifecycle and DevOps Pipeline.
COBIT governance system and framework principles
There are six COBIT governance system principles:
- Provide stakeholder value - this principle emphasizes that enterprises exist to create value for their stakeholders, and the COBIT framework helps ensure that the governance and management of enterprise IT contribute to overall stakeholder value.
- Holistic approach - COBIT advocates a comprehensive approach to IT governance and management. It recognizes that various interrelated components must work together effectively for success.
- Dynamic governance system - this principle acknowledges the ever-changing business and IT environments, highlighting the need for a governance system that's flexible and adaptable.
- Governance distinct from management - COBIT delineates governance from management activities, defining governance as the responsibility of the board of directors and executive management.
- Tailored to enterprise needs - COBIT is designed to be flexible and customizable, enabling organizations to tailor it according to their specific context, including their industry sector, risk appetite, and regulatory requirements.
- End-to-end governance system - this principle highlights the importance of an end-to-end governance and management system. It underscores the need for IT to be integrated with business goals and processes, ensuring that IT services and solutions support business operations effectively and contribute to business success.
These COBIT 2019 principles enhance the five principles previously included in COBIT 5:
- Meeting stakeholder needs
- Covering the enterprise end-to-end
- Applying a single integrated framework
- Enabling a holistic approach
- Separating governance from management
There are also three COBIT governance framework principles:
- Based on a conceptual model
- Open and flexible
- Aligned to major standards
COBIT governance and management objectives
As mentioned earlier, there are 40 COBIT management objectives. These objectives are across the following five areas:
- Evaluate, Direct and Monitor (EDM) - focusing on the governance aspect of IT and emphasizing the evaluation of IT performance, the alignment with business objectives, and the monitoring of IT processes to ensure they deliver the expected value.
- Align, Plan and Organize (APO) - covering the alignment of IT with business strategy and ensuring that IT capabilities are planned and organized to best support business objectives.
- Build, Acquire and Implement (BAI) - dealing with acquiring, developing, and implementing IT solutions and services.
- Deliver, Service and Support (DSS) - focusing on delivering and supporting IT services and ensuring they are delivered in a way that supports business operations and meets end-user needs.
- Monitor, Evaluate and Assess (MEA) - focusing on monitoring, evaluating, and assessing IT performance and conformance. This includes ensuring compliance with internal and external requirements, assessing the performance of IT processes, and conducting audits and assessments to identify improvement opportunities.
Example management objectives from each of these areas include:
- EDM01: Ensured governance framework setting and maintenance. The purpose of EDM01 is to ensure that an organization's governance framework is effectively designed and maintained. It involves setting up and continually improving the structures, processes, and practices needed for effective IT governance, ensuring they align with the organization's objectives and compliance requirements.
- APO01: Managed I&T management framework. The purpose of APO01 is to ensure that an organization has a structured approach to managing its I&T-related activities. This involves the development of a management framework that guides the planning, organization, and control of I&T processes. The focus is on creating a comprehensive framework aligned with business needs and adaptable to change.
- BAI06: Managed IT changes. The purpose of BAI06 is to establish a structured approach to managing changes in the IT landscape, ensuring that all changes are assessed, approved, implemented, and reviewed to support the organization's strategic objectives. This involves change planning and impact assessment, change approval, change implementation, and post-implementation review activities.
- DSS02: Managed service requests and incidents. The purpose of DSS02 is to establish and maintain a systematic approach to managing and resolving service requests and incidents. This involves incident identification and service request intake, classification and prioritization, resolution and fulfillment, and monitoring and tracking.
- MEA03: Managed compliance with external requirements. The purpose of MEA03 is to establish a comprehensive approach to compliance management that encompasses the identification, assessment, and assurance of compliance with external requirements. This involves identifying applicable requirements, assessing compliance, and addressing non-compliance.
The seven COBIT components
COBIT, like ITIL 4, covers more than processes. It offers six other "components," in addition to processes, for effective governance:
- Principles, policies, and frameworks - these help translate desired behaviors into practical day-to-day management guidance, including overarching governance principles and the policies and practices that guide IT operations.
- Organizational structures - these define roles, responsibilities, and decision-making authority for project teams and service departments through committees to the executive board in the context of IT governance and management.
- Culture, ethics, and behaviors - these human elements are crucial for effective governance and management and influence how policies and processes are implemented.
- Information - the recognition that information is a key resource for all organizations.
- Services, infrastructure, and applications - the systems, technology, and applications providing an organization with IT processing and services.
- People, skills, and competencies - that people's knowledge, skills, and abilities are essential to performing processes and activities.
COBIT design factors
COBIT 2019 introduced "design factors" as a part of its governance system. This change acknowledged that there's no "one-size-fits-all" approach to implementing governance and management frameworks.
The design factors allow your organization to tailor its COBIT use to its specific context, needs, and priorities. This ability makes COBIT more flexible and effective.
Eleven design factors are shared in COBIT 2019. Each addresses different aspects that influence how a governance system is structured:
- Enterprise strategy - the overall direction and objectives of an organization, which influence the prioritization and implementation of IT governance and management activities.
- Enterprise goals - the measurable goals an organization aims to achieve (which help align IT initiatives with business objectives).
- Risk profile - the types and levels of risk an organization is willing to accept to pursue its objectives, influencing the governance and management practices that mitigate the risks.
- I&T-related issues - the current challenges and problems in an organization's IT environment that must be addressed.
- Threat landscape - the external and internal threats to an organization's I&T assets, requiring specific governance and management responses.
- Compliance requirements - the legal, regulatory, and contractual obligations an organization must adhere to, with these shaping the governance practices required to ensure compliance.
- Role of IT - the role IT plays within an organization, whether as a utility provider, a business enabler, or a strategic partner. This perspective affects the structure and objectives of IT governance.
- Sourcing model for IT - how IT services are provided, whether in-house, outsourced, or via a hybrid model. This also influences governance structures and processes.
- IT implementation methods - how an organization approaches implementing IT solutions and changes within its environment. It encompasses the methodologies, practices, and processes used to manage IT projects, from adopting new technologies to enhancing or replacing existing systems.
- Technology adoption strategy - an organization's approach to adopting new technologies, influencing governance practices to support innovation while managing risks.
- Enterprise size - the size of an organization, with this impacting the complexity and scalability of the governance system to be implemented.
Importantly, the design factors can make some COBIT governance and management objectives more critical than others or require specific variants.
COBIT is not the only IT governance approach
In addition to COBIT, there are other bodies of best practice to consider, for example:
- ITIL (formerly known as the Information Technology Infrastructure Library) - ITIL is a popular approach to service management and IT service management (ITSM), providing a set of best practices for service delivery and support.
- ISO/IEC 38500 - ISO/IEC 38500 is the international standard for corporate governance of IT. It provides a framework for the effective, efficient, and acceptable use of IT within organizations.
- TOGAF (The Open Group Architecture Framework) - TOGAF is an enterprise architecture framework that provides an approach for the design, planning, implementation, and governance of an enterprise information technology architecture. It's not strictly an IT governance framework. Still, it supports IT governance by ensuring IT strategy is closely aligned with business goals and objectives.
COBIT versus ITIL
It's not a case of choosing COBIT or choosing ITIL, or ditching ITIL to adopt COBIT. So, it's not a "COBIT versus ITIL" situation. Instead, COBIT integrates with other industry IT management frameworks and standards, such as ITIL, the ISO family of standards, and TOGAF (per the third COBIT governance framework principle).
So, adopting COBIT isn't about replacing what your organization currently has. Instead, it can be used in tandem to improve business operations and outcomes. COBIT and ITIL have always complemented each other, and the most recent updates to both frameworks reinforce this. There are some high-level similarities. For example, both frameworks focus on transforming stakeholder needs into value and are designed to be customized to fit organizational needs.
There are lower-level similarities, too. After all, they're both designed to help with IT management. If you're already familiar with ITIL, then these two COBIT management objectives will be recognizable in terms of similar ITIL 4 practices:
- DSS02: Managed service requests and incidents - helping to ensure that IT incidents and service requests get resolved in a timely manner.
- BAI06: Managed IT changes - helping to enable the efficient and effective delivery of IT changes to the business.
Three additional COBIT 2019 changes
The move from COBIT 5 to COBIT 2019 is important to understand, especially because any Google searches related to COBIT can still bring back COBIT 5 content. Many of the version changes are included in this blog post, although there might not be a "then and now" comparison:
- The six COBIT 2019 governance system principles enhanced the five principles included in COBIT 5.
- COBIT 2019 has the same five high-level governance and management objectives as COBIT 5, but there are now 40 detailed objectives instead of 37. Managed Data is new, and two COBIT 5 objectives processes have been split in two: Manage Programs and Projects into "Managed Programs" and "Managed Projects" and Monitor, Evaluate and Assess the System of Internal Control into "Managed System of Internal Control" and "Managed Assurance."
- The eleven design factors are new to COBIT 2019.
- The seven COBIT "components" were called "enablers" in COBIT 5.
There are also three additional key changes between COBIT 5 and COBIT 2019:
- The COBIT 2019 portfolio includes a new Design Guide and updated Implementation Guide to help with COBIT adoption.
- COBIT 2019 introduced the COBIT Performance Management (CPM) model based on CMMI. Using the CPM, an organization can score its governance and management processes from 0-5. The new scoring mechanism differs from COBIT 5 scoring - Level 2 is now the basic level, and Levels 3 and above are more advanced.
- ISACA introduced an "open-source" model for COBIT. This means that COBIT users can provide feedback and propose enhancements for future versions.