The COBIT framework in detail: Strategically aligning IT governance

If you want to seamlessly combine IT security and business objectives, you need clear structures. The COBIT framework minimises risks and creates measurable added value.

Contents

1. What is COBIT?
2. COBIT 5 vs. 2019
3. COBIT principles
4. Domains: EDM, APO, BAI, DSS, MEA
5. Components
6. Maturity levels
7. Certification
8. Implementation

What is COBIT?

A well-founded explanation of COBIT begins with the core task of the model. The COBIT framework consistently aligns IT processes with the overarching business objectives of a company. The acronym originally stood for ‘Control Objectives for Information and Related Technology’. Today, the publisher ISACA uses only the short name.

The framework establishes a structured COBIT governance for the entire organisation. IT managers use it to control complex infrastructures and make the value of IT investments reliably measurable. At the same time, the system minimises operational risks. It bridges the gap between technical challenges, regulatory requirements and strategic demands.

Organisations of all sizes can flexibly adapt the model to their own needs. This allows them to maintain full control over their information and technology landscape.

An overview of enterprise security frameworks

Discover relevant frameworks for your IT governance and compliance requirements. From strategic alignment to operational implementation, you will receive well-founded guidance here.

Read more

Enterprise security frameworks at a glance

Read more

ISO 27001

Read more

NIST CSF 2.0

Read more

CIS Controls

COBIT 5 vs. COBIT 2019

ISACA continuously develops the COBIT framework.

The following overview shows the specific differences between the two versions of the COBIT framework. We have translated the raw data into practical comparison criteria.

Making human risks visible

Request a demo

Discover how SoSafe’s Human Risk Management Dashboard can help make aspects of human risk easier to assess and track within your enterprise architecture.

The six COBIT principles for a governance system

The current COBIT framework defines clear rules for successful IT governance. The six COBIT principles form the foundation of the 2019 version. They help companies achieve their individual business objectives systematically.

COBIT domains and processes

Operational control in the COBIT framework is carried out via structured subject areas, the so-called COBIT domains. Each domain bundles thematically related IT processes. This structure systematically assigns all activities to the areas of governance or management. The current version comprises a total of 40 clearly defined COBIT processes.

COBIT Components

In the previous version, the COBIT framework summarised the basic building blocks of a governance system under the term ‘Enablers’. Today, IT managers speak exclusively of COBIT Components. These components form the practical foundation for reliably putting IT objectives into practice.

The methodology distinguishes between seven core components that are in constant interaction with each other:

• Processes provide concrete process plans for day-to-day work and bundle activities to achieve objectives.
• Organisational structures assign crystal-clear roles and responsibilities to all persons or departments involved in the company.
• Culture, ethics and behaviour, as a human factor, decisively determine how employees deal with security requirements on a daily basis.
• Information represents the knowledge that systems produce and that managers need for reliable decisions.
• Services, infrastructure and applications comprise the entire technological basis that keeps ongoing operations running.
• Employee skills and competencies ensure that everyone involved has the necessary knowledge to perform their tasks without error.
• Principles, policies and frameworks translate abstract objectives into measurable rules for practice.

Managers must balance all seven components. An ever-so-good technological infrastructure is useless if employees lack security-conscious behaviour.

Strategically using maturity levels in COBIT

Organisations need to know how effectively their IT processes work in reality. For this performance measurement, the COBIT framework uses detailed COBIT maturity levels (also called capability levels). The current model works with a CMMI-based rating scheme that classifies processes on a scale from 0 (non-existent) to 5 (highly optimised).

For IT decision-makers, this model is much more than a theoretical scale. It is a powerful tool for budget negotiations. A CISO, for example, defines a necessary target maturity level of 4 for the ‘Security Awareness’ process. However, the actual analysis only shows level 2, as training has so far been unstructured. This measurable gap (Gap) serves as a direct, data-based line of argument.

At the same time, the system protects against unnecessary costs. Not every process has to reach the highest level 5. Companies decide on the basis of their risk appetite which processes require maximum attention and where a level 2 or 3 is perfectly sufficient.

Particularly in the area of cybersecurity, IT managers use this approach to make abstract dangers tangible. The seamless measurability of abstract factors – such as human behaviour in response to phishing attacks – forms the absolute centrepiece of modern risk management.

Making human risks visible

Request a demo

Discover how SoSafe’s Human Risk Management Dashboard can help make aspects of human risk easier to assess and track within your enterprise architecture.

COBIT certification: What it costs and who benefits

Anyone who becomes officially certified is investing in personal expertise. A COBIT certification is aimed at individuals, especially IT decision-makers, auditors and consultants. It documents that someone has truly mastered the complex governance model and can apply it in practice.

The path to certification is gradual. ISACA recommends the ‘COBIT 2019 Foundation’ certificate as a starting point. Further programmes are available based on this, including ‘Design and Implementation’. The COBIT costs for an exam fee are usually between 175 and 300 US dollars per exam, depending on ISACA membership status. Preparatory courses and training materials are additional.

The investment is absolutely worthwhile for personal expertise. However, when it comes to demonstrating the security of an entire company to partners and customers, organisations usually resort to ISO 27001 or the NIS2 directive. The COBIT framework provides the solid internal structure to pass precisely these external audits with confidence.

COBIT implementation: Steps and success factors

A well-thought-out COBIT implementation changes the way a company controls and evaluates its IT. This makes it a strategic decision that goes far beyond the IT department. ISACA recommends seven consecutive phases that map the entire implementation life cycle.

The most important steps at a glance:

• Stocktake: Analyse the status quo and identify the specific drivers for change.
• Defining objectives: Use the design factors to design a tailor-made governance system for your own organisation.
• Roadmap creation: Define realistic interim objectives. A typical implementation cycle can be planned in iterations of around three months.
• Training and cultural change: Involve the workforce at an early stage. As culture and behaviour play a key role as a component, accompanying cyber security awareness training is recommended to anchor the security culture in the long term.
• Performance measurement: Continuously check progress and use the CMMI maturity model to measure whether the implemented processes are achieving the desired level.

Maintaining momentum over the entire project duration is the biggest challenge during implementation. IT managers should therefore communicate successes and measurable improvements regularly and clearly to the board of directors.

COBIT vs. ITIL: The perfect complement

Many IT managers often see enterprise security frameworks as competitors. However, the comparison between ITIL and COBIT shows that the two approaches complement each other perfectly in practice. They simply pursue different objectives and start at different points.

The COBIT framework provides the overarching control system. It primarily answers the question of ‘what’ and ‘why’. CISOs use it to ensure that the entire IT strategy is compliant with business objectives and legal requirements. ITIL, on the other hand, concentrates fully on operational implementation and value creation in service management. It focuses on the ‘how’ with detailed answers, i.e. how IT services are specifically structured and improved.

A greatly simplified analogy from road traffic: COBIT builds roads and lays down the traffic rules. ITIL then regulates the traffic so that the cars on these roads arrive at their destination efficiently, safely and on time. A combination of both standards enables a holistic IT strategy that meets the highest governance standards as well as excellent service.

COBIT vs. ISO 27001

At first glance, the COBIT framework and ISO 27001 pursue a similar goal, but take fundamentally different paths. COBIT controls and evaluates internal processes. ISO 27001 is more externally oriented: It creates the auditable proof that partners and customers demand. For organisations that need both, a combined strategy is recommended: COBIT creates the internal structure, ISO 27001 documents it. 

COBIT vs. NIST CSF 2.0

Anyone who wants to specifically fend off cyber threats will soon come across the NIST Cybersecurity Framework.

COBIT vs. TOGAF

TOGAF uses a different lever than COBIT. It describes how companies structure and develop their entire IT architecture. The COBIT framework then controls and monitors this architecture at the governance level. In practice, many organisations use TOGAF for development and COBIT for ongoing operations. Read on and see the main differences between COBIT vs. TOGAF at a glance.