COBIT (Control Objectives for Information and Related Technology)
COBIT is a framework of the best practices for IT management (IT Governance). It is a set of best practices and procedures that help the organization to achieve strategic objectives through the effective use of available resources and minimization of IT risks. COBIT interconnects Enterprise governance and IT Governance. This connection is realized by linking business and IT goals, defining metrics and maturity models to measure the achievement of objectives, and defining the responsibilities of owners of the business and IT processes.
The first COBIT version was released by the ISACA organization in 1996. The first edition consisted of the framework, and the second one was extended to include audit guidelines, an implementation toolset, and control objectives. The third edition added management guidelines. The third edition of COBIT has been released by the ITG Institute (IT Governance Institute). The current edition is the fifth (COBIT 5), and the fifth version is available from April 2012. COBIT 5 consolidates and integrates the COBIT 4.1, Val IT 2.0, and Risk IT Framework and also draws significantly from the Business Model for Information Security (BMIS) and ITAF.
The latest version, COBIT 2019, was released in 2018. New insights from experts in IT and governance were included in the new version.
Framework and Components of COBIT
COBIT was initially "Control Objectives for Information and Related Technologies," though, before the release of the framework, people talked of "CobiT" as "Control Objectives for IT" or "Control Objectives for Information and Related Technology." The framework defines a set of generic processes for the management of IT, with each process defined together with process inputs and outputs, key process activities, process objectives, performance measures, and an elementary maturity model. COBIT also provides a set of recommended best practices for the governance and control process of information systems and technology with the essence of aligning IT with business. COBIT 5 consolidates COBIT 4.1, Val IT, and Risk IT into a single framework acting as an enterprise framework aligned and interoperable with other frameworks and standards. The business orientation of COBIT consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement, and identifying the associated responsibilities of business and IT process owners. The process focus of COBIT is illustrated by a process model subdividing IT into four domains (Plan and Organize; Acquire and Implement; Deliver and Support; and Monitor and Evaluate) and 34 processes in line with the responsibility areas of plan, build, run, and monitor. It is positioned at a high level and has been aligned and harmonized with other, more detailed IT standards and good practices such as COSO, ITIL, BiSL, ISO 27000, CMMI, TOGAF, and PMBOK. COBIT acts as an integrator of these different guidance materials, summarizing key objectives under one umbrella framework that links the good practice models with governance and business requirements. COBIT 5 further consolidated and integrated the COBIT 4.1, Val IT 2.0, and Risk IT frameworks and drew from ISACA's IT Assurance Framework (ITAF) and the Business Model for Information Security (BMIS). The framework and its components can, when utilized well, also contribute to ensuring regulatory compliance. It can encourage less wasteful information management, improve retention schedules, increase business agility, and lower costs while better complying with data retention and management regulations.
COBIT components include:
- Framework: Organizes IT governance objectives and good practices by IT domains and processes and links them to business requirements.
- Process descriptions: A reference process model and common language for everyone in an organization. The processes map to responsibility areas of planning, building, running, and monitoring.
- Control objectives: Provides a complete set of high-level requirements to be considered by management for effective control of each IT process.
- Management guidelines: Helps assign responsibility, agree on objectives, measure performance, and illustrate interrelationship with other processes.
- Maturity models: Assess maturity and capability per process and help to address gaps.
The Principles of COBIT
Five principles make up COBIT: (see figure below)
- Meeting stakeholder needs. This is incredibly general, but COBIT points out that meeting the needs of the stakeholder while still meeting the needs of the company is valuable.
- Covering the enterprise end-to-end. You must have a complete solution—not just pieces here and there. It’s important to take an in-depth look at network devices, endpoint solutions, as well as signature, non-signature, and heuristic base protection (and much more).
- Applying a single integrated framework. This isn’t to say you need only a single vendor for your framework, but rather that your framework must be organized and well thought-out.
- Enabling a holistic approach. You must have a plan of action that attacks an IT problem from multiple angles.
- Separating governance from management. Governance ensures that there is oversight while management deals with the necessary processes and steps needed.
The COBIT Reference Model
COBIT 5 is not delivered as a prescriptive model; rather, it advocates the implementation of governance and management processes within enterprises, as per the figure below. The COBIT 5 process reference model defines and describes in detail the governance and management processes normally found within an enterprise relating to IT activities, providing a common reference model understandable to operational IT and business managers. The COBIT 5 model delivers an operational model with a common language for all parts of the business involved in IT activities. It provides a framework for measuring and monitoring IT performance, communicating with service providers, and integrating best management practices.
The COBIT 5 process reference model divides the governance and management processes of enterprise IT into two main process domains:
- Governance—Contains five governance processes with “evaluate, direct and monitor practices” defined within each process
- Management—Four domains, in line with the responsibility areas of plan, build, run and monitor (PBRM), providing the end-to-end coverage of IT. These domains are an evolution of the COBIT 4.1 domain and process structure:
- Align, Plan, and Organise (APO)
- Build, Acquire, and Implement (BAI)
- Delivery, Service, and Support (DSS)
- Monitor, Evaluate and Assess (MEA)
The COBIT 5 process reference model is the successor of the COBIT 4.1 process model, incorporating both the Risk IT and Val IT frameworks.
A significant refresh of COBIT 4.1 and COBIT 5 improve this useful framework by integrating several of ISACA's frameworks, notably Val IT and Risk IT. The changes have made COBIT 5 broader and more complex. The scope of its guidance could overwhelm new users and inhibit its adoption; consequently, the online version of COBIT 5 will need to provide role-specific versions or logical views to make it more user-friendly.
Changes in COBIT 5 likely to have the greatest impact on organizations currently using COBIT include:
- A new process capability assessment approach, based on ISO/IEC 15504, replaces the Capability Maturity Model (CMM)-based modeling.
- Modifications to the process model, including changed processes and some new processes.
- Beyond the integration, this update also attempts to address a number of issues, including:
- Greater relevance to a wider business audience through increased separation of governance from management and clearer connection with board-level concerns.
- More explicit guidance to levers of change ("enablers") beyond processes, such as culture, ethics, behavior, people, skills, and competencies.
- Improved process capability assessments.
- Linkage between specific IT and enabler goals to broader enterprise-level goals.
- Greater emphasis on value creation through focusing on benefits realization, risk optimization, and resource optimization.
However, ISACA has overlooked or set aside some areas for this update:
- It ignores the blurring boundary between operational technology and Information Technology (IT), which will have an increasing impact on the management of risk and delivery of value and will require additional controls.
- It is just about acknowledging but does not explicitly deal with or provide any useful guidance on sustainability.
- It still complements the Information Technology Infrastructure Library (ITIL) without replacing it.
COBIT 5 Vs. COBIT 2019
- Principles and Objectives
There are 6 governance system principles in COBIT 2019, compared to 5 in COBIT 5. Governance principles ensure that stakeholder needs are evaluated and agreed on based on enterprise objectives, to set direction through prioritization and decision-making, and to monitor performance and compliance against the set direction and objectives.
Along with including an additional governance principle, COBIT 2019 revises some of the terminologies used in defining the principles. However, the governance and management objectives are similar in both versions.
More changes can be noted in the processes that support the governance and management objectives. The number of processes is increased from 37 in COBIT 5 to 40 in COBIT 2019. The terminology is also changed slightly, from the use of the verb “manage” in COBIT 5 to the adjective “managed” in COBIT 2019. Specific examples include:
- In Align, Plan, and Organize (APO), 1 process is added (APO14 Managed Data) and the terminology in APO10 is changed from “supplier” to “vendor.”
- In Build, Acquire and Implement (BAI), one process is added (BAI11 Managed Projects). In addition, in COBIT 2019, BAI06 and BAI07 specify that the changes being managed, accepted and transitioned are IT changes.
- In Monitor, Evaluate and Assess (MEA), one process is added (MEA04 Managed Assurance) and the terminology in the other 3 MEA processes is changed to emphasize the use of “managed” instead of “Monitor, Evaluate and Assess.”
- Framework Principles
Governance framework principles are added to COBIT 2019. The conceptual model referred to in the first principle identifies key components and relationships among the components to maximize consistency and allow automation. Openness and flexibility cited in the second principle implies allowing the addition of new content and the ability to address new issues in a flexible way, thereby allowing integrity and consistency. The third principle points out that the model should be aligned to major standards, frameworks and regulations.
- Performance Management and Design Factors
Performance management in COBIT 2019 is based on the CMMI Performance Management Scheme, in which the capability and maturity levels are measured between 0 and 5, whereas the scale used in COBIT 5 is based on International Organization for Standardization(ISO)/International Electrotechnical Commission (IEC) ISO/IEC 33000 Software Process Improvement and Capability Determination—SPICE.
Enablers have been removed from COBIT 2019 for simplification.
Design factors, which are introduced in COBIT 2019, are the factors that influence the design of the enterprise governance system
In Conclusion, COBIT 2019 has 6 governing principles instead of 5. The number of processes supporting the governance and management objectives is increased from 37 to 40, with some changes in terminology. Governance principles are added, and performance management is based on the CMMI performance management scheme instead of ISO/IEC 33000. Finally, 11 design factors that influence the design of the enterprise governance system are introduced and enablers are removed. An enterprise governance system can be designed using ISACA’s tool kit by inserting appropriate values in the respective fields. COBIT 2019 includes new technology and business trends in I&T. It can integrate with other international standards, guidelines, regulations and best practices unique to your organization and provide an effective EGIT framework.