COBIT is an IT governance framework that helps businesses implement, monitor and improve best practices in IT management. It stands for Control Objectives for Information and Related Technologies.
Developed by ISACA, it aims to address the connection between technical issues, business risks and control needs. COBIT can be used by any organization in any industry to ensure the quality, control, and reliability of information systems.
In the United States, it is widely used to comply with the Sarbanes-Oxley Act (SOX).
ISACA
ISACA is a global organization that develops guidance and controls for professionals in information governance, control, security and audit. It is responsible for creating and promoting the COBIT framework.
The organization was previously known as the “Information Systems Audit and Control Association,” but now simply goes by ISACA.
COBIT: A Closer Look
COBIT (Control Objectives for Information and Related Technology) is an information system audit and control basis created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) in 1992.
The COBIT Framework is a common control standard for information technology, providing a framework and controls for information technology that can be accepted and applied internationally.
COBIT is helpful to management to help balance risk and control investment in an often unpredictable IT environment. For users, this becomes very useful to gain confidence in IT security and control services provided by internal parties or third parties.
The Auditor supports or strengthens the opinions generated and advises management on existing internal controls.
COBIT Framework Basics
COBIT is more than a set of technical standards for IT managers. This framework supports the requirements of businesses via combined IT applications, related processes and sources. It provides the following two main parameters:
- Control: IT management practices, policies, procedures, and structures, providing an acceptable assurance level that business goals will be met.
- IT control objective: States the acceptable results level that must be attained on implementing control procedures for a particular IT operation.
A Brief History
COBIT was first published in 1996 to assist financial auditors in managing the growth of their IT environment. In 1998, ISACA released a more comprehensive version, which expanded beyond audit controls.
The third and fourth versions, released in the 2000s, included more management guidelines for cybersecurity
. In 2013, COBIT 5 was released, which provided tools, objectives, and best practices that were universally applicable to all IT operations in enterprises.
It built on the fourth version by incorporating related standards from ISO, including ITIL. ISACA then updated COBIT 5 to COBIT 2019, which is the latest version.
This version is more comprehensive, flexible, and suitable for all enterprises, regardless of their size or goals. Compared to COBIT 5, COBIT 2019 has six governing principles and 40 processes supporting management objectives and governance, an increase from 37.
What is COBIT: Components
The following are some of the components of COBIT, namely:
1. Frameworks
It helps set IT governance goals and brings best practices in IT processes and domains while connecting business requirements.
2. Process Description
This component is a reference model and also acts as a common language for every individual in the organization. Process description includes planning, building, running, and monitoring all IT processes.
3. Control Objective
This component provides a complete list of requirements that management has considered for effective IT business control.
4. Maturity Models
Access the maturity and capability of each process while addressing gaps.
5. Management Guidelines
Assists in better assigning responsibilities, measuring performance, agreeing on common goals, and delineating better linkages with every other process.
What is COBIT: Principles
The latest version, COBIT 2019, presents six principles for a governance system:
- Meet stakeholder needs
- Holistic approach
- Dynamic governance system
- Distinct governance from management
- Tailored to enterprise needs
- End-to-end governance system
Information Criteria based on COBIT
To fulfill business objectives, information needs to meet specific criteria, while the 7 information criteria that are of concern to COBIT are as follows:
Effectiveness. The information obtained must be relevant, related to business processes, reliable, and timely.
1. Efficiency
Provision of information through optimal (most productive and economic) use of resources.
2. Confidentially
Protecting critical information from parties who do not have authorization rights / are not authorized.
3. Integrity
Related to the accuracy and completeness of data/information and the level of validity by expectations and business value.
4. Availability
Focus on the availability of data/information when needed in business processes, both now and in the future. This is also related to securing the necessary and related resources.
5. Compliance
Fulfilling data/information by legal provisions, regulations, and planned agreements/contracts for business processes.
6. Reliability
Focus on providing the correct information for management to operate the company and fulfill their obligation to prepare financial reports.
What’s Differences Between COBIT 5 and COBIT 2019?
COBIT 2019 |
COBIT 5 |
| It has six governance principles. | It has five governance principles. |
| The term “managed” is for management processes.
The term “ensured” is for governance processes. |
The term “manage” is for management processes.
The term “ensure” is for governance processes. |
| 40 processes | 37 processes |
| Governance framework principles present | Governance framework principles are absent |
| Enablers renamed as components | Enablers are included |
| Design factors available | Design factors are not available |
| CMMI performance management scheme is used. | A 0-5 scale based on ISO/IEC 33000 is used to measure performance. |
All You Need To Know Before Using COMBIT
Before using the COBIT framework, it is important to understand the following:
- Purpose and scope: Understand the purpose of COBIT and its scope of application. It is a framework for IT governance and management that can be applied to any organization.
- Business requirements: Understand the business requirements and objectives of the organization and how COBIT can help to align IT with these goals.
- Governance structure: Understand the governance structure of the organization and how COBIT can be integrated into it.
- IT processes: Understand the IT processes in place within the organization and how COBIT can be used to improve them.
- Compliance: Be aware of any compliance requirements, such as the Sarbanes-Oxley Act (SOX) in the United States, that the organization needs to adhere to and how COBIT can be used to meet these requirements.
- Resources: Assess the resources needed for implementation, including personnel and budget, and plan accordingly.
- Tailoring: COBIT is a framework and should be tailored to the specific needs of the organization. It is important to understand the process of tailoring COBIT to your organization’s specific needs.
- Training: Understand the training and knowledge requirements for the personnel involved in the implementation of COBIT.
In summary, before using COBIT, you should understand the purpose of the framework, its scope of application, and how it can align with the business requirements and objectives of the organization. It is also important to consider the governance structure, IT processes, compliance requirements, resources, tailoring, and training needs before implementing COBIT.