COBIT 2019, What you need to know

A comprehensive overview of the framework, it's key points, and how to use this in a real-world environment

March 12 . 11 mins read

The information and technology industry has no shortage of frameworks, standards, and best practice guidance with significant potential value. Every framework has a unique value proposition, but none can do everything an organization needs.

However, there is only one globally known framework that focuses on GEIT (governance of enterprise information and technology) and that is COBIT. Although it is not the only framework you should use, it is certainly one you should consider in your framework inventory.

One often-heard quote about COBIT is that it offers guidance on "What you should do," while other frameworks tell you "How you should do it." Although many frameworks have emerged in the governance space, COBIT is still the go-to for IT governance-related matters. A unique aspect of COBIT is that it offers guidance to a level that lets other frameworks go to a deeper level and suggests which to use and where. An effective COBIT adoption REQUIRES other frameworks, and COBIT tells you what they are and when you should use them.

COBIT frameworks
Figure 1, Aligning COBIT with Industry Frameworks, Escoute, LLC

Although COBIT is universally accepted as a framework for the governance and management of information and technology, many countries worldwide have adopted this as a compliance standard in their banking systems and other areas. However, for most organizations, COBIT is being leveraged as a "framework to manage frameworks." As illustrated in Figure 1, COBIT acts as "middleware" between enterprise governance tools and best practices commonly used by IT service providers. It is a suitable tool to help align frameworks, goals, priorities, and activities between the enterprise and IT.

Short history of COBIT

In 1996, the EDP Auditors Association, later known as ISACA, saw the need to provide financial auditors with guidance on auditing controls related to the growing risks and compliance requirements in the information and technology field. This effort resulted from a publication that identified control objectives for information and technology - called COBIT. Although COBIT originally stood for Control Objectives for Information and Related Technologies, today, it simply goes by COBIT.

COBIT has undergone several iterations since 1996 and today has emerged as a globally recognized governance and management framework for information and technology. As illustrated in Figure 2 below, COBIT has been updated on a regular basis and has updated its guidance to align with the industry's most pressing topics. Today, it combines the remnants of auditing control objectives with a modern view of all the ingredients required for a sustainable and tailorable governance system.

COBIT Evolution
Figure 2, Evolution of the COBIT framework, Escoute LLC

COBIT description

Many aspects of COBIT can be valuable to any enterprise that depends on IT-related services to conduct its business. There's something in COBIT for everyone; you just need to know how and where to find it. The initial launch of the COBIT framework (2019 version) included several publications:

Publication Description
COBIT 2019 introduction

Introduction and Methodology

  • Explains the overall structure and parts of the framework.
  • Refreshes key governance terms, concepts, and principles.
  • Introduces the governance system, components, and governance/management objectives.
COBIT 2019 objectives

Governance and Management Objectives

  • Includes 40 governance and management objectives organized into five domains (Gov/Mgt).
  • Each objective is related to one process.
  • For each objective, provides guidance related to each of the governance components.
COBIT 2019 design

Designing an Information and Technology Governance Solution

  • Introduces focus areas and design factors.
  • Includes a design workflow that facilitates the creation of a tailored governance system.
  • Used in conjunction with the Implementation Guide.
COBIT 2019 implementation

Implementing and Optimizing an Information and Technology Governance Solution

  • Updated from the COBIT5 Implementation Guide.
  • Used in conjunction with the Design Guide.
  • Provides a continual improvement lifecycle approach.
  • Includes seven phases with three perspectives.
COBIT 2019 framework focus areas

Focus Area Guides

  • Describes a governance topic, domain, or issue that can be addressed by a collection of governance and management objectives and their components.
  • As of the publication of this article, there are four Focus Area guides: Small and Medium Enterprises, DevOps, Information and Technology Risk, and Information Security.
Table1, COBIT 2019 Publications

Many other complementary publications are designed to assist enterprises in adopting and adapting the guidance. A comprehensive list of all these documents can be found at

Consider COBIT as a high-level guide to help you determine the right things to do, but it doesn't give you details on how to adopt those. COBIT essentially describes the overall system of information and technology governance into the following:

  • Principles
  • Governance and Management Objectives
  • Governance Components
  • Goals Cascading
  • Design Factors
  • Implementation
  • Focus Areas


Like any solid body of knowledge, principles should be the key guides. COBIT has two categories of principles: Governance principles and framework principles. These are important because they set the foundation for how organizations can adopt and adapt frameworks in line with these.

Governance and management objectives

One of the most powerful aspects of COBIT is the governance and management objectives. Forty of these objectives are organized into governance objectives (5) and management objectives (35). COBIT endorses a distinction between governance and management, as illustrated in the objectives.

COBIT governance
Figure 3, COBIT Governance and Management Objectives, Escoute LLC

The five governance objectives are organized under the EDM domain, where the management objectives are under the APO, BAI, DSS, and MEA domains. This is important because any governing body in an organization should consider the EDM guidance while management is responsible for the remaining domains. Each of the objectives identified in COBIT is further explained in the COBIT 2019 publication Governance and Management Objectives using the following:

COBIT guidance
Figure 4, COBIT Guidance for each governance and management objective, Escoute LLC

This is where it can get a little confusing. COBIT states that each one of these 40 objectives is also a process. How is that? Read on to the governance components next to see why.

Governance components

COBIT outlines seven governance components, essentially the ingredients of a governance system. Each governance and management objective is explained using these seven components and is required to achieve the governance and management objectives. They are factors that, individually and collectively, contribute to the good operations of the enterprise's governance system over I&T. They interact with each other, resulting in a holistic governance system for I&T. The most familiar type of component is processes.

Governance components
Figure 5, COBIT Governance Components, Escoute LLC

Goals cascade

Goals cascading is one of the most easily understood governance topics, but also one of the most difficult and misapplied tools. COBIT was the first framework to introduce a model where organizations can link their specific stakeholder needs to tables that link higher-level goals from the enterprise down to governance and management objectives (and processes).

COBIT goals
Figure 6, The COBIT goals cascade, Escoute LLC

This is a significant tool to help organizations determine which processes are the most valuable and relevant based on achieving enterprise goals. The goals cascade information can be found in the Introduction and Governance and Management Objectives publications of COBIT. Detailed information on how to apply the goals cascade can be found in the COBIT 2019 publication Governance and Management Objectives.

Design factors

Recognizing the need for a tool that helps enterprises create a tailored governance system, COBIT created a set of design factors that can be used to determine what parts of COBIT are more relevant than others based on several criteria.

Design factors
Figure 7, COBIT Design Factors, Escoute LLC

Consider these design factors as inputs or variables to a governance system. The internal and external environment changes constantly, and to have a truly tailorable and flexible governance system, organizations are continuously modifying their governance focus based on these changes. COBIT provides a methodology (downloadable tool) that takes inputs based on a specific enterprise's situation and provides guidance on which governance and management objectives are the most appropriate to enable the enterprise to meet its goals and support business strategy. This information can be found in the publication Designing an Information and Technology Governance Solution, also known as the "Design Guide."

Focus areas

Too much information to digest in COBIT? There's a solution for you. Several supplemental guidance publications help dissect COBIT into the parts relevant to a specific area or focus. Are you an organization that focuses exclusively on DevOps? COBIT has a Focus area guide for this. As of the publication of this paper, there are four of these guides, including DevOps, Small and Medium Enterprises, Information and Technology Risk, and Information Security. Outside of these focus area guides, several other informative publications link current topics with COBIT, such as various audit programs, implementing the NIST cybersecurity framework, and many more.


The guidance in this publication is intended to assist enterprises with implementation using ISACA methodologies, especially those developed in COBIT. The guide includes processes, example templates, and strategic and tactical direction designed to maximize benefit from the CSF and to help practitioners identify and achieve enterprise objectives for the governance and management of I&T.

COBIT Implementation
Figure 7, COBIT Implementation Model, ISACA

Performance management

COBIT Performance Management refers to how well the governance and management system, as well as all the components of an enterprise work and how they can be improved up to the required level. It includes methods and concepts such as capability levels and maturity levels. COBIT 2019 is based on the following principles:

  • Simple to understand and use.
  • Consistent with and support the COBIT conceptual model.
  • Provide reliable, repeatable, and relevant results.
  • It must be flexible.
  • It should support different types of assessments.

ISACA owns the CMMI model, so not surprisingly, the performance management largely aligns with and extends CMMI concepts, i.e., the 0-5 scale commonly used during assessments.


Like most frameworks, it is difficult to read the introductory material and say, "Aha, I get it." COBIT learned from past releases that sometimes perfect can ruin good. The previous version, COBIT5, had huge amounts of practical information, but many users didn't know how or where to enter the model to find it. With COBIT2019, this experience has been greatly realigned to user experience.

The following use cases represent typical scenarios when adopting COBIT in an organization.

Use Case Desired Outcome How to use COBIT

Aligning IT with the business

IT-related goals, objectives, strategies, and focus areas support business outcomes.
  • Start with the COBIT Goals Cascade and follow up with the Design Factors to ensure proper alignment.
  • COBIT Publications: Introduction, Governance and Management Objectives, and Design Guide.

Creating a tailored governance system

A governance system that continuously improves and incorporates changes to the internal/external environment.
  • SUse the Design Factors to determine which Governance and Management Objectives are most applicable to support the business strategy.
  • COBIT Publications: Governance and Management Objectives, and Design Guide.

Assessing capability and maturity

Measure the performance of processes and components to identify improvement opportunities.
  • Use the COBIT performance management principles.
  • Refer to the CMMI measurement approach.
  • COBIT Publications: Introduction, Governance and Management Objectives, and Design Guide.

Aligning COBIT with other applicable frameworks

Synchronizing multiple frameworks in the I&T governance system.
  • Use the "additional guidance" sections in the Governance and Management Objectives to determine applicable frameworks, standards, and bodies of knowledge.
  • COBIT Publications: Introduction, Governance and Management Objectives, and Design Guide.

Governance implementation

Iterative approach to adopting a GEIT system in the organization.
  • Adopt an iterative approach using the seven steps and three perspectives of the COBIT implementation methodology.
  • COBIT Publications: Governance and Management Objectives and Implementation Guide

Audit planning and execution

Design, plan, and execute audits for information and technology.
  • COBIT Publications: Introduction, Governance and Management Objectives, and Design Guide.
Table 2, Use cases when using COBIT.

There is something in COBIT for everyone, but you have to know where to look for it. This is a powerful tool that can help board members, senior management, IT management, process owners, auditors, service managers, and many more understand the essential practices and activities related to each role. The trick to making this framework provide value to your organization is to integrate this with other frameworks, standards, and best practices in your organization. For more information about COBIT, visit the ISACA website.

About the author

Mark Thomas

Mark is an internationally known Governance, Risk, and Compliance expert specializing in information assurance, IT risk, IT strategy, service management, cybersecurity, and digital trust. Mark has a wide array of industry experience including government, health care, finance/banking, manufacturing, and technology services. He has held roles spanning from CIO to IT consulting and is considered a thought leader in frameworks such as COBIT, DTEF, NIST, ITIL and multiple ISO standards. Mark is also a two-time recipient of the ISACA John Kuyers award for best conference contributor/speaker as well as an ISACA Hall of Fame recipient in 2024. He is also an APMG product knowledge assessor for the CGEIT, CRISC and CDPSE, and IT Risk certifications.

Sign up for our newsletter to get more quality content

Get fresh content in your inbox

By clicking 'keep me in the loop', you agree to processing of personal data according to the Privacy Policy.
Let's support faster, easier, and together