COBIT 2019, What you need to know

The information and technology industry has no shortage of frameworks, standards, and best practice guidance with significant potential value. Every framework has a unique value proposition, but none can do everything an organization needs.

However, there is only one globally known framework that focuses on GEIT (governance of enterprise information and technology) and that is COBIT. Although it is not the only framework you should use, it is certainly one you should consider in your framework inventory.

One often-heard quote about COBIT is that it offers guidance on "What you should do," while other frameworks tell you "How you should do it." Although many frameworks have emerged in the governance space, COBIT is still the go-to for IT governance-related matters. A unique aspect of COBIT is that it offers guidance to a level that lets other frameworks go to a deeper level and suggests which to use and where. An effective COBIT adoption REQUIRES other frameworks, and COBIT tells you what they are and when you should use them.

Although COBIT is universally accepted as a framework for the governance and management of information and technology, many countries worldwide have adopted this as a compliance standard in their banking systems and other areas. However, for most organizations, COBIT is being leveraged as a "framework to manage frameworks." As illustrated in Figure 1, COBIT acts as "middleware" between enterprise governance tools and best practices commonly used by IT service providers. It is a suitable tool to help align frameworks, goals, priorities, and activities between the enterprise and IT.

Short history of COBIT

In 1996, the EDP Auditors Association, later known as ISACA, saw the need to provide financial auditors with guidance on auditing controls related to the growing risks and compliance requirements in the information and technology field. This effort resulted from a publication that identified control objectives for information and technology - called COBIT. Although COBIT originally stood for Control Objectives for Information and Related Technologies, today, it simply goes by COBIT.

COBIT has undergone several iterations since 1996 and today has emerged as a globally recognized governance and management framework for information and technology. As illustrated in Figure 2 below, COBIT has been updated on a regular basis and has updated its guidance to align with the industry's most pressing topics. Today, it combines the remnants of auditing control objectives with a modern view of all the ingredients required for a sustainable and tailorable governance system.

COBIT description

Many aspects of COBIT can be valuable to any enterprise that depends on IT-related services to conduct its business. There's something in COBIT for everyone; you just need to know how and where to find it. The initial launch of the COBIT framework (2019 version) included several publications:

Many other complementary publications are designed to assist enterprises in adopting and adapting the guidance. A comprehensive list of all these documents can be found at www.isaca.org/cobit.

Consider COBIT as a high-level guide to help you determine the right things to do, but it doesn't give you details on how to adopt those. COBIT essentially describes the overall system of information and technology governance into the following:

• Principles
• Governance and Management Objectives
• Governance Components
• Goals Cascading
• Design Factors
• Implementation
• Focus Areas

Principles

Like any solid body of knowledge, principles should be the key guides. COBIT has two categories of principles: Governance principles and framework principles. These are important because they set the foundation for how organizations can adopt and adapt frameworks in line with these.

Governance and management objectives

One of the most powerful aspects of COBIT is the governance and management objectives. Forty of these objectives are organized into governance objectives (5) and management objectives (35). COBIT endorses a distinction between governance and management, as illustrated in the objectives.

The five governance objectives are organized under the EDM domain, where the management objectives are under the APO, BAI, DSS, and MEA domains. This is important because any governing body in an organization should consider the EDM guidance while management is responsible for the remaining domains. Each of the objectives identified in COBIT is further explained in the COBIT 2019 publication Governance and Management Objectives using the following:

This is where it can get a little confusing. COBIT states that each one of these 40 objectives is also a process. How is that? Read on to the governance components next to see why.

Governance components

COBIT outlines seven governance components, essentially the ingredients of a governance system. Each governance and management objective is explained using these seven components and is required to achieve the governance and management objectives. They are factors that, individually and collectively, contribute to the good operations of the enterprise's governance system over I&T. They interact with each other, resulting in a holistic governance system for I&T. The most familiar type of component is processes.

Goals cascade

Goals cascading is one of the most easily understood governance topics, but also one of the most difficult and misapplied tools. COBIT was the first framework to introduce a model where organizations can link their specific stakeholder needs to tables that link higher-level goals from the enterprise down to governance and management objectives (and processes).

This is a significant tool to help organizations determine which processes are the most valuable and relevant based on achieving enterprise goals. The goals cascade information can be found in the Introduction and Governance and Management Objectives publications of COBIT. Detailed information on how to apply the goals cascade can be found in the COBIT 2019 publication Governance and Management Objectives.

Design factors

Recognizing the need for a tool that helps enterprises create a tailored governance system, COBIT created a set of design factors that can be used to determine what parts of COBIT are more relevant than others based on several criteria.

Consider these design factors as inputs or variables to a governance system. The internal and external environment changes constantly, and to have a truly tailorable and flexible governance system, organizations are continuously modifying their governance focus based on these changes. COBIT provides a methodology (downloadable tool) that takes inputs based on a specific enterprise's situation and provides guidance on which governance and management objectives are the most appropriate to enable the enterprise to meet its goals and support business strategy. This information can be found in the publication Designing an Information and Technology Governance Solution, also known as the "Design Guide."

Focus areas

Too much information to digest in COBIT? There's a solution for you. Several supplemental guidance publications help dissect COBIT into the parts relevant to a specific area or focus. Are you an organization that focuses exclusively on DevOps? COBIT has a Focus area guide for this. As of the publication of this paper, there are four of these guides, including DevOps, Small and Medium Enterprises, Information and Technology Risk, and Information Security. Outside of these focus area guides, several other informative publications link current topics with COBIT, such as various audit programs, implementing the NIST cybersecurity framework, and many more.

Implementation

The guidance in this publication is intended to assist enterprises with implementation using ISACA methodologies, especially those developed in COBIT. The guide includes processes, example templates, and strategic and tactical direction designed to maximize benefit from the CSF and to help practitioners identify and achieve enterprise objectives for the governance and management of I&T.

Performance management

COBIT Performance Management refers to how well the governance and management system, as well as all the components of an enterprise work and how they can be improved up to the required level. It includes methods and concepts such as capability levels and maturity levels. COBIT 2019 is based on the following principles:

• Simple to understand and use.
• Consistent with and support the COBIT conceptual model.
• Provide reliable, repeatable, and relevant results.
• It must be flexible.
• It should support different types of assessments.

ISACA owns the CMMI model, so not surprisingly, the performance management largely aligns with and extends CMMI concepts, i.e., the 0-5 scale commonly used during assessments.

Using COBIT

Like most frameworks, it is difficult to read the introductory material and say, "Aha, I get it." COBIT learned from past releases that sometimes perfect can ruin good. The previous version, COBIT5, had huge amounts of practical information, but many users didn't know how or where to enter the model to find it. With COBIT2019, this experience has been greatly realigned to user experience.

The following use cases represent typical scenarios when adopting COBIT in an organization.

There is something in COBIT for everyone, but you have to know where to look for it. This is a powerful tool that can help board members, senior management, IT management, process owners, auditors, service managers, and many more understand the essential practices and activities related to each role. The trick to making this framework provide value to your organization is to integrate this with other frameworks, standards, and best practices in your organization. For more information about COBIT, visit the ISACA website.