COBIT, or the Control Objectives for Information and Related Technologies, describes itself as “the globally accepted framework for optimizing enterprise IT governance.” The COBIT framework was designed to help organizations develop, implement, monitor, and improve their IT enterprise governance and information security processes.
While other cybersecurity frameworks, such as NIST and ISO 27001, are more cyber-focused, COBIT focuses more on ensuring IT (information technology) initiatives align with the company’s business goals (governance).
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines internal control as “a process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”
When using COBIT to optimize business processes, internal control relates to the following:
- Information and communication
- Risk assessment
- Control activities
- Control environment
The COBIT IT governance framework provides a common language so compliance auditors, business executives, and IT professionals can communicate with each other regarding business and management objectives.
Why Organizations Use COBIT
Many industries are largely impacted by their IT initiatives, especially if the company handles, controls, computes, and processes high volumes of critical data (big data, cloud computing, social media, etc.). Although it’s important to have a strong cybersecurity focus, many cybersecurity frameworks do not consider business objectives. The COBIT framework views cybersecurity from a macro perspective and how IT goals affect overall business decision-making.
The five main principles of COBIT are:
- Meeting key stakeholders’ demands
- End-to-end, comprehensive coverage of the enterprises
- Framework integration into one unified framework
- Applying holistic approaches to running a business
- Separating management from governance policies
Organizations frequently use COBIT to meet regulatory compliance challenges, most commonly with SOX (Sarbanes-Oxley Act), but it can also be used in conjunction with other regulations such as HIPAA or GLBA.
The most common users of the COBIT framework are CISOs, CIOs, IT managers, IT directors, auditors, and other professionals in strengthening enterprise IT systems. The framework can help determine IT strategy, improve the efficiency of IT operations, and help determine business decisions across the organization.
Who Created the COBIT Framework?
COBIT was developed by The Information Systems Audit and Control Association (ISACA). ISACA is well-known in the industry for supporting technology professionals via various methods, including its IT certifications: CISA, CISM, CRISC, ITCA, CET, CDPSE, and CGEIT.
As a leader in information governance, audit, risk, and privacy, its goal is to help grow businesses by facilitating digital trust. To this end, it provides IT professionals with digital trust assets, training, and resources.
ISACA helps businesses with cybersecurity training as well as training in IT risk, information security, emerging technology, and governance. Individuals can advance their IT skills with CPE certification by various methods, including attending conferences, training weeks, webinars, volunteering, and lab activities.
History of the COBIT Framework
The first version of COBIT was implemented in 1996 as an auditing standard for financial advisors. Since then, ISACA has released additional versions in 1998 and the 2000s. COBIT 5, released in 2013, is especially notable because it was the first iteration that provided resources, goals, and best practices that all enterprise IT environments could use.
COBIT 5 improved upon COBIT 4.1 further by including the IT Infrastructure Library (ITIL) and other relevant standards from the International Organization for Standardization (ISO). While ISO develops the standards, it does not offer conformity assessment or certification. These can be achieved through external certification bodies. Organizations can prepare for COBIT certification using the COBIT IT governance framework.
COBIT 2019 is the latest version of the COBIT framework. The primary difference between this and earlier visions is that it is more comprehensive and flexible. Firms can use COBIT 2019 to achieve various business goals by making the most of current technology.
The latest COBIT version:
- Aligns more with global standards and best practices
- Enables feedback and collaboration to improve the framework
- Supports decision-making via a customizable IT governance system
COBIT Framework Fundamentals
The COBIT governance framework is guided by the following five principles, according to ISACA author Craciela Braga, CGEIT, CP:
- Governance objectives must meet stakeholder needs. It needs to create a practical strategy and governance system, and it must add value while balancing benefits, risks, and resources.
- This governance system must have a holistic approach.
- There is a difference between structures, management activities, and governance.
- The governance system should be customized to the organization’s needs. This necessitates a set of design factors to prioritize and customize the governance system’s components and apply this single integrated framework.
- The system should cover all enterprise functions, encompassing all IT functions and the enterprise’s technology and information.
Through the principles of COBIT, organizations can develop a holistic framework regarding governing and managing IT based on the following enablers set out in COBIT 5:
- Culture, Ethics, and Behavior
- Organizational Structures
- People, Skills, and Competencies
- Principles, Policies, and Frameworks
- Process Descriptions
- Services, Infrastructure, and Applications
One of the advantages of COBIT is that it is customizable and integrates well with other international standards, including:
COBIT vs. Information Technology Infrastructure Library (ITIL)
COBIT 2019 integrated elements of ITIL to make it more robust and widely usable in IT environments of various sizes. By comparison, ITIL alone has a narrower focus, concentrating on IT Service Management (ITSM).
Another notable difference between COBIT and ITIL is that ITIL necessitates third-party tools, such as Tudor IT Process Assessment (TIPA). A COBIT audit, on the other hand, must be performed by an ISACA Certified Information Systems Auditor (CISA).
However, ITIL can be used in conjunction with COBIT to good effect.
COBIT vs. The Open Group Architecture Framework (TOGAF)
Like ITIL, organizations may find that TOGAF complements the COBIT framework. It’s worth mentioning because while COBIT is one of the most widely used IT frameworks, 80% of Global 50 and 60% of Fortune 500 companies use TOGAF. It aims to help organizations use its standards to implement architectures for large-scale software systems.
The Open Group boasts more than 600 members across business, government, and academia. The documentation for this architectural framework consists of 52 chapters that help big businesses conduct efficient system design and implementation.
TOGAF is not ideal for every environment, so organizations can use COBIT methodologies instead or use a combination of both systems together. While TOGAF focuses more on IT architecture, COBIT encapsulates planning and organization, risk management, performance management, and governance.
COBIT vs. ISO 27001
As with TOGAF and ITIL, the main similarities between COBIT and ISO 27001 are its focus on the way businesses handle and manage their IT systems. However, again, there are no business management criteria within the ISO 27001 framework.
The primary difference between COBIT and ISO 27001 is that ISO 27001 focuses strictly on security controls within an organization. ISO describes it as “the world’s best-known standard for information security management systems (ISMS) and their requirements.”
ISO 27001 focuses on helping businesses establish, implement, maintain, and improve information security management systems while addressing three principles or dimensions of information security:
COBIT vs. COSO
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a popular internal control framework. Typically, corporations use this to optimize a financial statement control environment. It’s often used to help organizations achieve SOX compliance and works well with COBIT in this respect.
The COSO control framework is made up of five categories subdivided into 17 principles that can be broken down further to help perform risk assessments or help managers focus on designing or mapping internal controls. It offers broad financial guidance and helps define the enterprise risk management (ERM) context for preventing fraud.
Because COBIT cross-references COSO frequently, it can be ideal for managers that need to lean toward IT as they consider business risk. While both frameworks were designed for internal controls, COSO is more focused on providing a conceptual structure for financial risk reporting, so COBIT can be helpful to increase COSO’s scope to include IT control objectives.
How Businesses Can Integrate COBIT with the Capability Maturity Model Integration (CMMI)
The CMMI Institute, now owned by ISACA, created the Capability Maturity Model Integration (CMMI) to help businesses track their progress (maturity) in developing better security practices, risk management behaviors, and software development. While it is often known as a process improvement tool, it also works as a behavioral model that businesses can use to structure and strategize efficiency.
Since ISACA acquired the CMMI Institute, it has promoted the use of both frameworks together to ensure steady progression and implementation of COBIT over time. Like COBIT, CMMI has been through several iterations, from a reference model focused on software engineering to a more widely-applicable and streamlined tool for optimizing management guidelines.
Those involved in US Department of Defense (DoD) software development contracts will be familiar with the requirement to use CMMI methodology. The US government and DoD helped develop CMMI to boost efficiency and reduce business risks related to software, product, and service development.
CMMI Maturity Levels
One of the most useful things about CMMI is that it helps businesses categorize organizational maturity. At the lowest maturity level, a company has no established IT goals, and its business processes still need to be fully formed or satisfy business requirements. CMMI’s goal is to help businesses attain and maintain maturity level 5, at which the business has achieved stability, supporting continual improvement and adaptation.
- Level 1: Initial - Processes are performed on an ad-hoc basis in a relatively young, inexperienced, and unstable environment. Businesses in this stage do not have defined IT processes and often depend on one or two individuals to achieve business goals.
- Level 2: Managed - Organizations have begun to develop documented processes. Level 2 organizations have begun to define business goals and determine the necessary requirements and processes to achieve these goals.
- Level 3: Defined - Processes are clearly defined and understood by all individuals within the company. The company is more proactive than reactive, and there are clear company objectives that are far wider in scope than Level 2 organizations.
- Level 4: Quantitatively Managed - The organization has begun to use quantitative data to implement new processes and subprocesses that meet organizational goals. Processes and subprocesses are now evaluated by performance success and quality rather than completion.
- Level 5: Optimizing - Business goals are consistently achieved and exceeded. The organizational focus is on continuous improvement, process optimization, and regular review of business objectives.
Using CMMI with COBIT
In addition to maturity levels, CMMI also features capability levels from 0 to 3.
- Level 0: Incomplete - an inconsistent and incomplete approach.
- Level 1: Initial - the business begins to address performance issues.
- Level 2: Managed - a complete set of business practices is in place to address improvement.
- Level 3: Defined - there are clear organization-wide standards for achieving defined management objectives.
CMMI is an excellent methodology for assessing the maturity of a COBIT implementation. Users can combine capability levels with other factors to create custom concepts, metrics, and tools to help the organization quantify its maturity.
Using the two models in conjunction, businesses can develop a system that brings together governance practices, metrics, activities, and capability levels.