COBIT is an IT governance and management framework developed by ISACA that provides a set of tools for managers to balance IT risks and control with technology benefits.

What is COBIT?

COBIT is a comprehensive IT governance and management framework that helps organizations create value from IT while maintaining a balance between realizing benefits and optimizing risk levels and resource use.

COBIT Evolution

COBIT 5 (2012)

• Approach: Integrated IT governance and management
• Principles: 5 fundamental principles
• Processes: 37 IT processes
• Structure: Unified framework

COBIT 2019 (2019)

• Approach: Updated IT governance and management
• Principles: 5 updated fundamental principles
• Processes: 40 IT processes
• Structure: More flexible and adaptable framework

COBIT Fundamental Principles

Principle 1: Meet Stakeholder Needs

• Objective: Create value for stakeholders
• Approach: Align IT objectives with business objectives
• Result: Sustainable value for the organization

Principle 2: Cover the Organization End-to-End

• Objective: Cover the entire organization
• Approach: Include all functions and processes
• Result: Comprehensive governance and management

Principle 3: Apply a Single Integrated Framework

• Objective: Use a unified framework
• Approach: Integrate different frameworks and standards
• Result: Consistency in implementation

Principle 4: Enable a Holistic Approach

• Objective: Consider all aspects
• Approach: Comprehensive governance and management approach
• Result: Complete view of the organization

Principle 5: Separate Governance from Management

• Objective: Distinguish between governance and management
• Approach: Separate responsibilities and activities
• Result: Clarity in roles and responsibilities

COBIT 2019 Structure

Governance Processes (5 processes)

• EDM: Evaluate, Direct and Monitor
• EDM01: Ensure governance framework
• EDM02: Ensure benefits delivery
• EDM03: Ensure risk optimization
• EDM04: Ensure resource optimization
• EDM05: Ensure stakeholder transparency

Management Processes (35 processes)

APO - Align, Plan and Organize (13 processes)

• APO01: Manage IT framework
• APO02: Manage strategy
• APO03: Manage enterprise architecture
• APO04: Manage innovation
• APO05: Manage portfolio
• APO06: Manage budget and costs
• APO07: Manage human resources
• APO08: Manage relationships
• APO09: Manage service agreements
• APO10: Manage suppliers
• APO11: Manage quality
• APO12: Manage risk
• APO13: Manage security

BAI - Build, Acquire and Implement (11 processes)

• BAI01: Manage programs and projects
• BAI02: Manage requirements definition
• BAI03: Manage solutions and build
• BAI04: Manage availability and capacity
• BAI05: Manage IT acquisition
• BAI06: Manage changes
• BAI07: Manage organizational change
• BAI08: Manage knowledge
• BAI09: Manage assets
• BAI10: Manage configuration
• BAI11: Manage projects

DSS - Deliver, Service and Support (6 processes)

• DSS01: Manage operations
• DSS02: Manage service requests
• DSS03: Manage problems
• DSS04: Manage continuity
• DSS05: Manage security
• DSS06: Manage business controls

MEA - Monitor, Evaluate and Assess (5 processes)

• MEA01: Manage performance and compliance
• MEA02: Manage control system
• MEA03: Manage assurance
• MEA04: Manage risk management
• MEA05: Manage security

Enablers

Organizational Enablers

• Principles, Policies and Frameworks: Guidelines and standards
• Processes: Activities and workflows
• Organizational Structure: Roles and responsibilities
• Culture, Ethics and Behavior: Values and behaviors

Information Enablers

• Information: Data and knowledge
• Services, Infrastructure and Applications: Technology
• People, Skills and Competencies: Human resources
• Relationships: Stakeholders and suppliers

Capability Model

Capability Levels (0-5)

• Level 0: Incomplete
• Level 1: Initial/Ad-hoc
• Level 2: Repeatable but Intuitive
• Level 3: Defined
• Level 4: Managed and Measurable
• Level 5: Optimized

Capability Dimensions

• Processes: Process maturity
• Organizational: Organizational capability
• Technical: Technical capability
• Human: Human capability

COBIT Benefits

Governance

• Alignment: Alignment between IT and business
• Transparency: Transparency in IT management
• Accountability: Clarity in responsibilities
• Strategy: Support for business strategy

Management

• Efficiency: Improved operational efficiency
• Quality: Improved service quality
• Risks: Better risk management
• Resources: Resource optimization

Compliance

• Regulations: Regulatory compliance
• Audit: Facilitates audits
• Standards: Standards compliance
• Best practices: Best practices implementation

COBIT Implementation

Phase 1: Preparation

• Commitment: Management commitment
• Resources: Resource allocation
• Team: Implementation team formation
• Communication: Communication plan

Phase 2: Assessment

• Current state: Current state assessment
• Gaps: Gap identification
• Risks: Risk assessment
• Resources: Available resource evaluation

Phase 3: Planning

• Objectives: Objective definition
• Roadmap: Implementation plan
• Priorities: Activity prioritization
• Budget: Budget planning

Phase 4: Implementation

• Processes: Process implementation
• Controls: Control implementation
• Training: Staff training
• Monitoring: Progress monitoring

Phase 5: Operation

• Monitoring: Continuous monitoring
• Assessment: Periodic assessment
• Improvement: Continuous improvement
• Update: Framework update

Tools and Resources

COBIT Tools

• COBIT 2019 Framework: Main framework
• COBIT 2019 Design Guide: Design guide
• COBIT 2019 Implementation Guide: Implementation guide
• COBIT 2019 Assessment Guide: Assessment guide

Additional Resources

• COBIT Online: Online platform
• COBIT Training: Training programs
• COBIT Certification: Professional certifications
• COBIT Community: Community of practice

Use Cases

Private Sector

• Companies: Implementation in private companies
• Critical sectors: Critical infrastructure
• SMEs: Small and medium enterprises
• Multinationals: Multinational companies

Public Sector

• Government agencies: Implementation in agencies
• Local governments: State and local governments
• Defense: Defense sector
• Health: Public health sector

Academic Sector

• Universities: Higher education institutions
• Research: Research institutions
• K-12: Primary and secondary schools
• Libraries: Public libraries

Best Practices

Implementation

1. Executive commitment: Obtain management commitment
2. Complete assessment: Perform exhaustive assessment
3. Detailed planning: Develop detailed plan
4. Gradual implementation: Implement gradually
5. Continuous monitoring: Monitor continuously

Management

1. Regular communication: Regular communication with stakeholders
2. Continuous training: Continuous staff training
3. Periodic assessment: Periodic progress assessment
4. Continuous improvement: Continuous framework improvement
5. Update: Regular framework updates

Related Concepts

• ISO 27001 - Complementary standard
• NIST - Cybersecurity framework
• ISMS - Related management system
• Compliance - Regulatory compliance
• Security Governance - Governance framework
• Risk Assessment - Fundamental process
• Monitoring and Review - Continuous control
• CISO - Role responsible for implementation

References

• COBIT 2019 Framework
• COBIT 2019 Design Guide
• COBIT 2019 Implementation Guide
• COBIT 2019 Assessment Guide
• ISACA COBIT Resources

Glossary

• COBIT: Control Objectives for Information and Related Technologies
• ISACA: Information Systems Audit and Control Association
• EDM: Evaluate, Direct and Monitor
• APO: Align, Plan and Organize
• BAI: Build, Acquire and Implement
• DSS: Deliver, Service and Support
• MEA: Monitor, Evaluate and Assess
• Enabler: COBIT framework facilitator