Originally designed for auditors to audit the IT organisation, COBIT 5 (Control Objectives for IT) is about linking business goals to IT objectives (note the linkage here from vision to mission to goals to objectives). COBIT 5 (launched April 2012) provides metrics and maturity models to measure whether or not the IT organisation has achieved its objectives. Additionally, COBIT identifies the associated responsibilities of the business process owners as well as those of the IT process owners.
COBIT (originally Control Objectives in IT) is owned and supported by ISACA. It was released in 1996; the current version 5.0 (April 2012) brings together COBIT 4.1, Val IT 2.0 and Risk IT frameworks.
The COBIT 5 principles and enablersare generic and useful for enterprises of all sizes, whether commercial, not-for -profit or in the public sector(Figure 1 2).
Figure 1: The COBIT 5 Principles
Figure 2: The COBIT 5 Enablers
The process reference model defines and describes in detail a number of governance, and management processes. It represents all the processes normally found in an organisation relating to IT activities, thus providing a common reference model understandable to operational IT, and business managers, and their auditors/advisors. The process reference model divides the processes of organisation IT into two domains – governance, and management:
COBIT 5 provides a set of 36 governance and management processes within the framework.
The governance domain contains five governance processes; within each process, evaluate, direct, and monitor practices are defined.
• EDM1: set and maintain the governance framework
• EDM2: ensure value optimisation
• EDM3: ensure risk optimisation
• EDM4: ensure resource optimisation
• EDM5: ensure stakeholder transparency
The four management domains, in line with the responsibility areas of plan, build, run, and monitor (PBRM) provide end-to-end coverage of IT
• Align, plan, and organise
• Build, acquire, and implement
• Deliver, service, and support
• Monitor, evaluate, and assess
A casual look at the four management domains of COBIT 5 rapidly illustrates its direct relationship with ITIL.
• The align, plan, and organise domain relates to the service strategy and design phases
• The build, acquire, and implement domain relates to the service transition phase
• The deliver, service, and support domain relates to the service operation phase
• And finally, the monitor, evaluate, and assess domain relates to the continual service improvement phase
All aspects of COBIT 5 are in line with the responsibility areas of plan, build, run and monitor. In other words, COBIT 5 follows the PDCA cycle of Plan, Do, Check, and Act. COBIT has been positioned at a high level, and has been aligned and harmonised with other, more detailed, IT standards and proven practices such as COSO2, ITIL3, ISO 27000, CMMI, TOGAF and PMBOK. COBIT 5 acts as an integrator of these different guidance materials, summarising key objectives under one umbrella framework that link the proven practice models with governance and business requirements.
Senior business management, senior IT management and auditors.
Scope and constraints
COBIT provides an ‘umbrella’ framework for IT governance across the whole of an organization. It is mapped to other frameworks and standards to ensure its completeness of coverage of the IT management life cycle and support its use in enterprises using multiple IT-related frameworks and standards.
Some strong points are:
· Value creation through effective governance, management enterprise information and technology (IT) assets
· Business user satisfaction with IT engagement and services by enabling business objectives
· Compliance with relevant laws, regulations and policies
· Treating COBIT as a prescriptive standard when it should be interpreted as
a generic framework to manage IT processes and internal controls. Key themes from COBIT must be tailored to the specific governance needs of the organization.
· Lack of commitment from top management – without their leadership and
support, the IT control framework will suffer and business alignment of IT risks
will not happen.
· Underestimating the cultural change – COBIT is not just about the technical
aspects of IT. The organization needs to have a good understanding of the
governance controls for the IT risks.
Relevant links (web links)
Further information from the IT Governance Institute: