What is COBIT? A framework for alignment and governance

What is COBIT and why is it important?

COBIT is an IT management framework developed by the ISACA to help businesses develop, organize, and implement strategies around information management and IT governance. The goal of the COBIT framework is to support “understanding, designing, and implementing the management and governance of enterprise IT (EGIT),” according to the ISACA.  

First released in 1996, COBIT (Control Objectives for Information and Related Technologies) was initially designed as a set of IT control objectives to help the financial audit community better navigate the growth of IT environments. In 1998, the ISACA released version 2, which expanded the framework to apply outside the auditing community. Later, in the 2000s, the ISACA developed version 3, which brought in the IT management and information governance techniques found in the framework today.

COBIT 4 was released in 2005, followed by the refreshed COBIT 4.1 in 2007. These updates included more information regarding governance surrounding information and communication technology. In 2012, COBIT 5 was released and in 2013, the ISACA released an add-on to COBIT 5, which included more information for businesses regarding risk management and information governance.

The ISACA announced an updated version of COBIT in 2018, ditching the version number and naming it COBIT 2019. This updated, and most recent, version of COBIT is designed to constantly evolve with “more frequent and fluid updates,” according to the ISACA. COBIT 2019 was introduced to build governance strategies that are more flexible and collaborative and that address new and changing technology.

Difference between COBIT 5 and COBIT 2019

COBIT 5 was released in 2012, but by 2019 a lot of changes were introduced around compliance and regulation standards in the industry, most notably the adoption of the European GDPR framework for data protection laws. Regulations went into effect in the spring of 2018 and the ISACA updated the governance principles of COBIT to accommodate this new focus, adding a 6th principle to the framework. While COBIT has always had a focus on regulations and compliance, these new standards helped shape the revised COBIT 2019 framework with an updated lens on governance management. For organizations embarking on digital transformation, COBIT helps navigate the complexities of IT compliance, regulation, and governance.

COBIT 2019 introduced three new governance principles that revolve around the openness and flexibility of the framework. The framework states that not only should governance strategies remain open and flexible, but they should also be based on conceptual models and aligned to major standards and regulations. Additionally, the updated COBIT framework bases performance management around the CMMI performance Management Scheme, which focuses on measuring capability and maturity levels. Previously, COBIT 5 relied on International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) to define capability and maturity levels.

Another major update is that COBIT 2019 outlines specific design factors that should influence the development of any enterprise governance systems, along with a governance system design workflow tool kit for organizations to follow. COBIT 2019 also introduced three new processes, going from 37 processes outlined in COBIT 5 to 40 in COBIT 2019. Other changes included minor edits to terminology and phrasing used throughout the documentation.

COBIT 2019 components

COBIT 2019 updates the framework for modern enterprises by addressing new trends, technologies, and security needs. The framework still plays nicely with other IT management frameworks such as ITIL, CMMI, and TOGAF, which makes it a great option as an umbrella framework to unify processes across an entire organization. Overall, COBIT 2019 is designed to give businesses more flexibility when customizing an IT governance strategy.

Like other IT management frameworks, COBIT helps align business goals with IT goals by establishing links between the two and creating a process that can help bridge a gap between IT — or IT silos — and outside departments.

One major difference between COBIT and other related frameworks is that it focuses specifically on security, risk management, and information governance. This is emphasized in COBIT 2019, with better definitions of what COBIT is and what it isn’t. For example, ISACA says COBIT 2019 isn’t a framework for organizing business processes, managing technology, making IT-related decisions, or determining IT strategies or architecture. Rather, it’s designed strictly as a framework for governance and management of enterprise IT across the organization. That’s better clarified for businesses in the updated version, so there’s less confusion about how COBIT should be used and implemented.

COBIT 2019 goals

According to the ISACA, COBIT 2019 was updated to include:

• Focus areas and design factors that give more clarity on creating a governance system for business needs
• Better alignment with global standards, frameworks, and best practices to bolster the framework’s relevance
• An open-source model that allows for feedback from the global governance community to encourage faster updates and enhancements
• Regular updates released on a rolling basis
• More guidance and tools to support businesses when developing a “best-fit governance system, making COBIT 2019 more prescriptive”
• A better tool to measure performance of IT and alignment with the CMMI
• More support for decision-making, including new online collaborative features

COBIT 2019 also introduces “focus area” concepts that describe specific governance topics and issues, which can be addressed by management or governance objectives. Some examples of these focus areas include small and medium enterprises, cybersecurity, digital transformation and cloud computing. Focus areas will be added and changed as needed based on trends, research, and feedback — there’s no limit for the number of focus areas that can be included in COBIT 2019.

COBIT 2019 components

• COBIT 2019 Framework: Introduction and methodology: The main guide that introduces the basic COBIT principles alongside the structure of the overall framework.
• COBIT 2019 Framework: Governance and management objectives: A companion guide that dives into the COBIT Core Model and 40 governance and management objectives. Each objective is described including its purpose, how it connects with the enterprise, and how it aligns goals.
• COBIT 2019 Design Guide: A companion guide that offers in-depth guidance for developing a uniquely tailored governance system for your organization.
• COBIT 2019 Implementation Guide: The fourth companion guide in the framework, which guides businesses through implementing the governance strategy once it’s developed. This includes best practices, ways to avoid pitfalls, and how to integrate your COBIT 2019 strategy with your COBIT 5 strategy.

COBIT principles and benefits

One major change to COBIT 2019 is that it now encourages feedback from the practitioner community. You will be able to purchase the COBIT 2019 Design Guide, but the ISACA also introduced a crowdsourced version of COBIT where practitioners can leave comments, suggest improvements or propose new concepts and ideas.

COBIT 2019 is designed to be more prescriptive to guide companies in developing a governance strategy, while also enabling organizations to tailor a unique best-fits governance strategy. It defines the “components to build and sustain a governance system: processes, policies and procedures, organizational structures, information flows, skills, infrastructure, and culture and behaviors,” according to the ISACA. Formerly referred to as “enablers” in COBIT 5, these components better define what businesses need for a strong governance system.

According to the ISACA, COBIT 2019 best suits clients that use multiple frameworks — such as ITIL, ISO/IEC 2000 and CMMI — with certain silos within IT using their own framework or standard. It’s also well suited to organizations that are required to follow specific regulatory guidelines from the government and local authorities.

The COBIT 2019 framework helps businesses align existing frameworks in the organization and understand how each framework will fit into the overall strategy. It can also help businesses monitor the performance of these other frameworks, especially in terms of security compliance, information security, and risk management.

It’s also designed to give senior management more insight into how technology can align with organizational goals. You can directly map pain points in the business to certain aspects of the framework, emphasizing the need for “control-driven IT,” according to the ISACA. The framework gives CIOs and other IT executives a way to demonstrate the ROI on an IT project and how it will help reach key business objectives.

COBIT certification

If you’re already certified in COBIT 5 through ISACA or in the middle of getting your certification, the ISACA will continue to support the accreditation and delivery of COBIT 5 training and certifications and it will “continue to live alongside COBIT 2019 training.” 

Certifications for COBIT 2019 include:

• COBIT Bridge Workshop: This one-day course covers the concepts, models, and key definitions in COBIT 2019 with a heavy focus on the differences between COBIT 5 and COBIT 2019.
• COBIT 2019 Foundation exam: This exam covers the “context, components, benefits, and key reasons COBIT is used as an information and technology governance framework.” You can earn your COBIT 2019 Foundation certificate after a two-day course.
• COBIT 2019 Design and Implementation exam: This certification covers designing a tailor-made best-fit governance system using COBIT.
• Implementing NIST using COBIT 2019: This credential covers everything you need to know about implementing the NIST Cybersecurity Framework while meeting industry standards and integrating EGIT.

As of this writing, this is the only available information on the COBIT 2019 certification scheme, but the ISACA notes that the “COBIT 2019 product family and training is open ended. ISACA will continue to evaluate the development of future training modules based on feedback and market need.”

For more IT management certifications, see “17 IT management certifications for IT leaders.”