What is COBIT? A framework for alignment and governance

What is COBIT?

COBIT is an IT management framework developed by the ISACA to help businesses develop, organize and implement strategies around information management and IT governance.

First released in 1996, COBIT (Control Objectives for Information and Related Technologies) was initially designed as a set of IT control objectives to help the financial audit community better navigate the growth of IT environments. In 1998, the ISACA released version 2, which expanded the framework to apply outside the auditing community. Later, in the 2000s, the ISACA developed version 3, which brought in the IT management and information governance techniques found in the framework today.

COBIT 4 was released in 2005, followed by COBIT 4.1 in 2007. These updates included more information regarding governance surrounding information and communication technology. In 2012, COBIT 5 was released and in 2013, the ISACA released an add-on to COBIT 5, which included more information for businesses regarding risk management and information governance.

The ISACA announced an updated version of COBIT in 2018, ditching the version number and naming it COBIT 2019. This updated version of COBIT is designed to constantly evolve with “more frequent and fluid updates,” according to the ISACA. COBIT 2019 was introduced to build governance strategies that are more flexible, collaborative and address new and changing technology.

What’s in COBIT 2019?

COBIT 2019 updates the framework for modern enterprises by addressing new trends, technologies and security needs. The framework still plays nicely with other IT management frameworks such as ITIL, CMMI and TOGAF, which makes it a great option as an umbrella framework to unify processes across an entire organization.

New concepts and terminology have been introduced in the COBIT Core Model, which includes 40 governance and management objectives for establishing a governance program. The performance management system now allows more flexibility when using maturity and capability measurements. Overall, the framework is designed to give businesses more flexibility when customizing an IT governance strategy.

Like other IT management frameworks, COBIT helps align business goals with IT goals by establishing links between the two and creating a process that can help bridge a gap between IT — or IT silos — and outside departments.

One major difference between COBIT and other frameworks is that it focuses specifically on security, risk management and information governance. This is emphasized in COBIT 2019, with better definitions of what COBIT is and what it isn’t. For example, ISACA says COBIT 2019 isn’t a framework for organizing business processes, managing technology, making IT-related decisions, or determining IT strategies or architecture. Rather, it’s designed strictly as a framework for governance and management of enterprise IT across the organization. That’s better clarified for businesses in the updated version, so there’s less confusion about how COBIT should be used and implemented.

COBIT 2019 goals

According to the ISACA, COBIT 2019 was updated to include:

• Focus areas and design factors that give more clarity on creating a governance system for business needs
• Better alignment with global standards, frameworks and best practices to bolster the framework’s relevance
• An open-source model that allows for feedback from the global governance community to encourage faster updates and enhancements
• Regular updates released on a rolling basis
• More guidance and tools to support businesses when developing a “best-fit governance system, making COBIT 2019 more prescriptive”
• A better tool to measure performance of IT and alignment with the CMMI
• More support for decision making including new online collaborative features

COBIT 2019 also introduces “focus area” concepts that describe specific governance topics and issues, which can be addressed by management or governance objectives. Some examples of these focus areas include small and medium enterprises, cybersecurity, digital transformation and cloud computing. Focus areas will be added and changed as needed based on trends, research and feedback – there’s no limit for the number of focus areas that can be included in COBIT 2019.

COBIT 2019 components

• COBIT 2019 Framework: Introduction and methodology: The main guide that introduces the basic COBIT principles alongside the structure of the overall framework.
• COBIT 2019 Framework: Governance and management objectives: A companion guide that dives into the COBIT Core Model and 40 governance and management objectives. Each objective is described including its purpose, how it connects with the enterprise and how it aligns goals.
• COBIT 2019 Design Guide: A companion guide that offers in-depth guidance for developing a uniquely tailored governance system for your organization.
• COBIT 2019 Implementation Guide: The fourth companion guide in the framework, which guides businesses through implementing the governance strategy once it’s developed. This includes best practices, ways to avoid pitfalls and how to integrate your COBIT 2019 strategy with your COBIT 5 strategy.

COBIT principles and benefits

One major change to COBIT 2019 is that it now encourages feedback from the practitioner community. You will be able to purchase the COBIT 2019 Design Guide, but in early 2019 the ISACA will also release a crowdsourced version of COBIT where practitioners can leave comments, suggest improvements or propose new concepts and ideas.

COBIT 2019 is designed to be more prescriptive to guide companies in developing a governance strategy, while also allowing organizations to more comfortably tailor a unique best-fits governance strategy. It defines the “components to build and sustain a governance system: processes, policies and procedures, organizational structures, information flows, skills, infrastructure, and culture and behaviors,” according to the ISACA. Formerly referred to as “enablers” in COBIT 5, these components better define what businesses need for a strong governance system.

According to the ISACA, COBIT 2019 best suits clients that use multiple frameworks — such as ITIL, ISO/IEC 2000 and CMMI — with certain silos within IT using their own framework or standard. It’s also well suited to organizations that are required to follow specific regulatory guidelines from the government and local authorities.

The COBIT 2019 framework helps businesses align existing frameworks in the organization and understand how each framework will fit into the overall strategy. It can also help businesses monitor the performance of these other frameworks, especially in terms of security compliance, information security and risk management.

It’s also designed to give senior management more insight into how technology can align with organizational goals. You can directly map pain points in the business to certain aspects of the framework, emphasizing the need for “control-driven IT,” according to the ISACA. The framework gives CIOs and other IT executives a way to demonstrate the ROI on an IT project and how it will help reach key business objectives.

COBIT certification

If you’re already certified in COBIT 5 through ISACA or in the middle of getting your certification, the ISACA will continue to support the accreditation and delivery of COBIT 5 training and certifications and it will “continue to live alongside COBIT 2019 training.” 

Certifications for COBIT 2019 include:

• COBIT Bridge Workshop: a one-day course that covers the concepts, models and key definitions in COBIT 2019 with a heavy focus on the differences between COBIT 5 and COBIT 2019.
• COBIT 2019 Foundation exam: prepares attendees for the COBIT 2019 foundation certificate exam, covering the “context, components, benefits and key reasons COBIT is used as an information and technology governance framework.” You’ll be able to earn your certificate in COBIT 2019 foundations after a two-day course.
• COBIT 2019 Design and Implementation exam: this certification will launch in April 2019 and will cover designing a tailor-made best-fit governance system using COBIT.

As of this writing, this is the only available information on the COBIT 2019 certification scheme, but the ISACA notes that the “COBIT 2019 product family and training is open ended. ISACA will continue to evaluate the development of future training modules based on feedback and market need.”

For more IT management certifications, see “17 IT management certifications for IT leaders.”

More on IT strategy:

• 10 old-school IT principles that still rule
• 9 forces shaping the future of IT
• Why IT-business alignment still fails
• 9 warning signs of bad IT architecture
• 13 ‘best practices’ IT should avoid at all costs