COBIT® 2019
The basics
Originally designed for auditors to audit the IT organization, COBIT (Control Objectives for Information and Related Technology) is about linking business goals to IT objectives (note the linkage here from vision to mission to goals to objectives).
The whole COBIT 2019 focusses on: how can your organization do governance, how does the organization keep understanding all the external reasons to exist and internal drivers to be what the organization wants to be. Additionally, COBIT identifies the associated responsibilities of the business process owners as well as those of the IT process owners.
Summary
COBIT is owned and supported by ISACA. It was released in 1996; the current version is COBIT®2019. The COBIT principles and enablers are generic and useful for enterprises of all sizes, whether commercial, not-for-profit or in the public sector (figures 1 and 2).COBIT 2019 updates the framework for modern enterprises by addressing new trends, technologies and security needs. The framework still plays nicely with other IT management frameworks such as ITIL, CMMI and TOGAF, which makes it a great option as an umbrella framework to unify processes across an entire organization.
New concepts and terminology have been introduced in the COBIT Core Model, which includes 40 governance and
management objectives for establishing a governance program. The performance management system now allows more flexibility when using maturity and capability measurements. Overall, the framework is designed to give businesses more flexibility when customizing an IT governance strategy.
COBIT 2019 components
COBIT 2019 Framework – Introduction and methodology: The main guide that introduces the basic COBIT principles alongside the structure of the overall framework.
COBIT 2019 Framework – Governance and management objectives: A companion guide that dives into the COBIT Core Model and 40 governance and management objectives. Each objective is described including its purpose, how it connects with the enterprise and how it aligns goals.
COBIT 2019 Design Guide: A companion guide that offers in- depth guidance for developing a uniquely tailored governance system for your organization.
COBIT 2019 Implementation Guide: The fourth companion guide in the framework, which guides businesses through implementing the governance strategy once it’s developed. This includes best practices, ways to avoid pitfalls and how to integrate your COBIT 2019 strategy with your COBIT 5 strategy.
COBIT principles and benefits
One major change to COBIT 2019 is that it now encourages feedback from the practitioner community. You will be able to purchase the COBIT 2019 Design Guide, but ISACA has also released a crowdsourced version of COBIT where practitioners can leave comments, suggest improvements or propose new
concepts and ideas. 21
The COBIT framework is designed to be more prescriptive to guide companies in developing a governance strategy, while also allowing organizations to more comfortably tailor a unique best-fits governance strategy. It defines the “components to build and sustain a governance system: processes, policies and procedures, organizational structures, information flows, skills, infrastructure, and culture and behaviors”. Formerly referred to as ‘enablers’ in COBIT 5, these components better define what businesses need for a strong governance system.
COBIT best suits clients that use multiple frameworks — such as ITIL, ISO/IEC 2000 and CMMI — with certain silos within IT using their own framework or standard. It’s also well suited to organizations that are required to follow specific regulatory guidelines from the government and local authorities.
COBIT helps businesses align existing frameworks in the organization and understand how each framework will fit into the overall strategy. It can also help businesses monitor the performance of these other frameworks, especially in terms of security compliance, information security and risk management. It’s also designed to give senior management more insight into how technology can align with organizational goals. You can directly map pain points in the business to certain aspects of
the framework, emphasizing the need for ‘control-driven IT’. The framework gives CIOs and other IT executives a way to demonstrate the ROI on an IT project and how it will help reach key business objectives.
Target audience
Senior business management, senior IT management and auditors.
Scope and constraints
COBIT provides an ‘umbrella’ framework for IT governance across the whole of an organization. It is mapped to other frameworks and standards to ensure its completeness of coverage of the IT management lifecycle and support its use in enterprises using multiple IT-related frameworks and standards.
Some strong points are:
• Value creation through effective governance, management enterprise information and technology (IT) assets
• Business user satisfaction with IT engagement and services by enabling business objectives
• Compliance with relevant laws, regulations and policies
Constraints:
• Treating COBIT as a prescriptive standard when it should be interpreted as a generic framework to manage IT processes and internal controls. Key themes from COBIT must be tailored to the specific governance needs of the organization
• Lack of commitment from top management – without their leadership and support, the IT control framework will suffer and business alignment of IT risks will not happen
• Underestimating the cultural change – COBIT is not just about the technical aspects of IT. The organization needs to have a good understanding of the governance controls for the IT risks