You can’t do large-scale business in 2024 without having a successful, well-run IT infrastructure. Arguably, it’s difficult to do any sort of business well (large or small) without tuning your IT capabilities to your business objectives. This allows them to work as one, not against each other.
COBIT is a framework created by ISACA (International Systems Audit and Control Association) to do this very task.
What is COBIT?
COBIT is an IT framework originally developed to help financial auditors align with IT, but its effectiveness at bringing IT processes in line with the goals of the business was quickly acknowledged. The framework has now been broadened to include the business community at large.
- ISACA created COBIT in 1996, and it has since gone through several iterations, with COBIT 5 (2012) being the most popular before the launch of the latest version, COBIT 19 (2019).
- COBIT used to be an acronym for Control Objectives for Information and Related Technologies, but it is now simply its own name.
- For all intents and purposes, when people are referring to “COBIT,” they are now referring to COBIT 19 and all its updated attributions.
What Does COBIT Set Out to Accomplish?
COBIT, while providing guidance, does not provide specific applications. It is an umbrella framework that doesn’t contradict any other related frameworks in the same space.
As ISACA notes, “[COBIT] will not decide what the best IT strategy is, what the best architecture is, or how much IT can or should cost. Rather, COBIT defines all the components that describe which decisions should be taken, and how and by whom they should be taken.” This extends to:
- Processes
- Policies and procedures
- Organizational structures
- Information flows
- Skills
- Infrastructure
- Culture
- Behaviors
In a nutshell, COBIT “defines the design factors that should be considered by the enterprise to build a best-fit governance system.”
What’s Different in COBIT 19?
COBIT 5 provided generalized, broad-stroke applications regarding IT governance and management that could essentially be applied to any business. COBIT 19 makes those recommendations a little more personal and allows for customization to each company and its unique needs. For more details, you can compare COBIT 5 to COBIT 19 here.
COBIT 19 is based on six principles:
- Providing stakeholder value
- Taking a holistic approach
- Having a dynamic governance system
- Making governance distinct from management
- Tailoring everything to the needs of the enterprise
- Implementing an end-to-end governance system
What are the Five Components of COBIT?
The five components of COBIT are:
- Framework | Here, the organization's various business requirements are linked to specific IT processes and people. It is important to connect executives and stakeholders to their counterparts in IT and make sure everyone knows the departments and governance objectives to which their respective business/IT tasks align.
- Process descriptions | Now, it’s time to create a common language across the organization. Consistent names and terms for different IT processes need to be in place so everyone can be on the same page when it comes to planning, operationalizing, and monitoring.
- Control objectives | What are the purposes of the various IT controls that executive stakeholders require? What are the high-level expectations for the IT controls – what does management want them to accomplish?
- Management guidelines | Who does what? Now is the time to define how different processes interrelate, how teams will be working together, and how performance will be measured across the board.
- Maturity models | How well are the processes you implemented working? This is where you use the scale of 1-5 model outlined below. If something falls below two, it calls for “immediate” action.
What is One of the Biggest Value Adds of COBIT 19 Today?
In two words: continuous improvement. Today’s companies need to adjust at a moment’s notice to quickly changing legislation, compliance requirements, technological advancements, malware, AI-based threats, and more. COBIT 19 allows organizations to stay agile and operate on the principle of progressive evolution – getting better as they go.
It builds in this element via the ‘COBIT Performance Management (CPM)’ system, which scores the effectiveness of a given process on a scale from zero to five. The metrics are as follows:
- 0: Lacks functionality. The process is not doing its job at governance or management.
- 1: Vaguely achieves its purpose, but is ad-hoc, incomplete, disorganized, and lacking optimization.
- 2: The process is complete and pretty much does its job.
- 3: A typically well-defined process that consistently does its job in an organized way.
- 4: The process does its job, is organized, and its performance is now (quantitatively) measured.
- 5: All of the above, but it incorporates continuous improvement.
Conclusion
The overarching purpose of COBIT and all its attendant updates is to bring IT and business leaders together and put them – and their processes – on the same page. In today’s world, it is the only way organizations can survive. Businesses may set out specific sales objectives or expansion aims, but without the right IT processes to support them, those aspirations will be hard to reach in the real world (which runs on technology and the information that flows through it).
As companies adopt COBIT practices and align with its approach, they can make sure IT ultimately makes it easier to succeed in a highly digital world, not harder.
You can learn more best practices to mitigate risk, automate compliance and reduce costs by downloading this COBIT framework guide.