Introduction To COBIT
Control Objectives for Information and Related Technologies, commonly referred to as COBIT, is a best practice framework produced by ISACA for IT governance and management. If the past few years have proved anything, it is that there is an urgent need for the development and management of internal controls and essential levels of security in information technology. Many entities have the application of IT as crucial to their business operations and market strategies. Such organizations require a basis for understanding the risks and drawbacks of IT at various levels within their corporation to achieve an optimum level of direction and adequate control. Well-managed enterprises use best practices to ensure that the company is achieving its operational and strategic goals. Those goals require an entity to take on an acceptable level of risk. The entity establishes controls over strategy and operations to limit its risks and help in achieving the desired goals and strategies.
The framework explains a set of generic processes for the management of IT, with each process carefully explained together with process inputs and outputs, process objectives, key process activities, elementary maturity model, and performance measures. It also provides a set of recommended best practices for governance and control process of information systems and technology with the aim of aligning business with information technology. Control Objectives for Information and Related Technology (COBIT) is perhaps the most holistic, internationally recognized framework purposely designed for achieving organizational information technology goals and objectives.
History of COBIT
International professional association ISACA first released COBIT in 1996 as a set of control objectives to aid the financial audit community work better around IT-related structures. Seeing value and possible progress beyond the auditing field, the Association released a more comprehensive version in 1998 and further expanded it by adding management guidelines in the third version released in the year 2000. Development of the AS 8015: Australian Standard for Corporate Governance of Information and Communication Technology and the ISO/IEC 38500 in January 2005 and January 2007 respectively upped the degree of awareness of the need for reliable information and communication technology (ICT) governance components. As expected, ISACA added related components/frameworks with versions 4 and 4.1 in 2005 and 2007 respectively stating that it would be ‘’addressing the IT-related processes and responsibilities when it comes to value creation (Val IT) and risk management (Risk IT).’’ Presently, the COBIT 5 systematically combines and merges COBIT 4.1, Risk IT, and Val IT into a single framework which acts as an enterprise framework aligned and interchangeable with other frameworks and standards.
The framework clearly explains:
- Over 34 IT processes in 4 broad groups. These 34 processes depend on and impact IT resources.
- Top-notch control objectives for each of the 34 processes.
- About 318 in depth control objectives, and associated audit guidelines.
COBIT framework specifics
COBIT business orientation and form of operation comprises of linking business goals to IT goals, providing info metrics and maturity models for ascertaining the level of accomplishments and noting the interrelated responsibilities of business and IT process owners. To completely understand the scope of the mode of operation of the COBIT framework, two main parameters are provided: CONTROL and IT Control Objective. Control is adapted from the COSO report (Internal Control-Integrated Framework) while the IT Control Objective is adapted from the Systems Auditability and Control Report, The Institute of Internal Auditors (IIA) Research Foundation, 1991 and 1994.
- Control is the form of procedures, practices, policies and organizational structures designed to provide an acceptable level of assurance that business objectives and strategies will be attained and undesired incidents will be detected and corrected in a quick, concise manner.
- IT Control Objective is a statement of the level of acceptable results to be attained by implementing control procedures concerning a particular IT operation.
There are two distinctive classes of control models available today: those of the business control model class (e.g., COSO and CoCo) and the more focused control models for IT (e.g., DTI). COBIT aims to close the gap that exists between the two. Apart from being more encompassing for management, COBIT also operates at a higher level than pure technology standards for information systems management. IT governance is defined as a structure put in place to control and direct an enterprise in achieving its goals by adding value while assessing and balancing the risk versus return over IT and its processes. The basic underlying concept of COBIT framework is that control in IT is attaining by focusing on information that is required to support the business objectives or requirements, and by treating the information as a result of the combined application of IT-related resources that need to be managed by IT processes.
COBIT components include:
- Framework: It organizes and categorizes IT governance objectives and good practices by IT domains and processes before associating them with their respective business requirements.
- Process descriptions: A reference process model and common language for everyone in an organization. The processes map to responsibility areas of plan, build, run, and monitor.
- Control Objectives: Provides a complete set of high-level requirements to be considered by management for effective control of each IT process.
- Management guidelines: Helps assign responsibility, agree on objectives, measure performance, and illustrate interrelationship with other processes.
- Maturity models: Assesses maturity and capability per process and helps to address gaps.
Users of COBIT and its benefits
COBIT is a framework created to be of use to three distinct types of people: Management, Auditors, Users.
- Management: This framework helps management of enterprises to balance their risk versus reward situations and control investments in an ever-changing IT world.
- Auditors: To provide a framework to aid auditors to arrive at an acceptable opinion on the rate of assurance on the subject matter being audited and to offer advice to management on internal controls.
- Users: To obtain assurance on the security and controls of IT services provided by internal or external parties.
Furthermore, business process owners use COBIT in living up to rendering effective service when it comes to controlling the information aspects of their processes and by those responsible for IT in the enterprise.
COBIT offers worldwide acceptable models to help maximize the value and trust in IT, and this extended guidelines will provide security, risk, reward, business and IT consulting professionals with a more extended framework to help in delivering and maintaining enterprise objectives and strategies. Some of the numerous benefits of COBIT are listed below:
- Helps to accomplish operational excellence through efficient and effective application of technology and trustworthiness.
- Optimizing the cost of IT services and technology.
- It helps to manage and maintain IT-related risk, keeping them at an acceptable level.
- Making desirable business benefits through the effective and innovative use of IT and business strategic goals achievement.
- Maintains high-quality information to help support business decisions.
- Offers full support for IT firms that comply with business-oriented policies, regulations, relevant laws, and contractual agreements.
COBIT and alternative frameworks
All governance frameworks have the same directive/objective which is to implement the best operating techniques that lead to minimal financial losses from compliance failures and little publicity that can harm an organization. These different techniques/practices make it very easy for an organization to undergo regulatory audits and achieve the best results. Control frameworks and security standards are often exchangeable terminologies depending on whom you ask. For the purpose of the discussion in this section, frameworks and security standards will be considered interchangeable as they are all directed at the same end product which is protecting an organization’s information assets. Taking COBIT’s definitions as a basis for our parameters, COBIT classifies a framework as a Control Framework, which is described as a tool for business process owners that expedites and accelerates the discharge of their responsibilities through the provision of a supporting control model.
What is it?
A set of best practice publications for IT service management
A business framework for the goverance and management of enterprise IT
An international standard for IT service management system requirements
How long is it?
Five core publications totalling about 1800 pages, plus complementary publications
Core publication of 94 pages, plus 230 pages for enabling processes, and further publications
Part 1 (service management system requirements) has 36 pages, there are other parts covering other aspects
How is it seen in the market?
ITIL has a focus on internal processes. Recent versions have incorporated a service lifecycle and more focus on value and customers
COBIT comes from a history of audit and compliance. The latest versin has moved towards IT service governance and management
ISO/IEC 20000 is an international standard, and the main focus is on achieving certification to demonstrate compliance to the standard
Who is it generally used by?
Any organization providing internal or external IT services. It is most commonly used in operational IT departments
Internatl IT organizations of large enterprises. COBIT is often used by strategic teams and people responsible for audit and compliance
IT organizations who want to demonstrate that they meet an externally defined standard
What is it mainly used for?
Helping to define operational IT service management processes
Defining audit and compliance requirements for IT
Demonstrating that the IT organization meets a recognized standard
On the other hand, COBIT describes a standard as a business practice or technology product that is generally accepted and endorsed by the enterprise or IT management team. There are various security standards and control frameworks that could easily substitute COBIT even if they are not as effective.
The following are security standards and control frameworks interchangeable with COBIT that can address information security requirements:
- Federal Information Security Management Act of 2002 (FISMA): The main purpose is to offer a comprehensive framework that will ensure the usefulness and efficiency of security controls over information resources that support federal operations and assets. The law also allowed for the funding of NIST to develop and improve the least necessary controls essential for the provision of adequate security. The government issues an annual report card based upon their assessment of compliance with the framework.
- Federal Information System Controls Audit Manual (FISCAM): Issued by the General Accounting Office, this guides Information Systems auditors to assess the IT controls used in support of financial statement audits. This is not an audit standard but is incorporated here because auditors are typically testing the control environment in government audits using this specification. There has been increased emphasis on the use of NIST 800-53 controls and the NIST 800-53A Assessments. However FISCAM is still utilized by government auditors and, therefore, it is advisable to understand the contents.
- Health Insurance Portability and Accountability Act (HIPAA): The final rule for implementing security standards was published on February 20, 2003. This rule required a series of administrative, technical, and physical security procedures for entities to use in order to assure the confidentiality of Protected Health Information (PHI). The standard was purposely non-technology specific and intended to provide scalability to small providers and large providers alike.
- Information Technology Infrastructure Library (ITIL): ITIL is a set of books issued by the British government's Stationary Office between 1989 and 1992 to improve and develop IT service management. The ITIL framework comprises a set of best practices and policies for IT core operational processes such as change, release and configuration management, incident and problem management, capacity and availability management, and IT financial management. The primary contribution of ITIL is to show how the controls can be implemented for the service management IT processes.
- ISO/IEC 2700: This is the international standard that has been put in place for information security management. If you are running IT services, then you must make sure you understand the requirements for information security, and take these into account in designing your management system.
- Agile:This is a development methodology that splits projects into short phases, each of which performs excellently well and delivers valuable outcomes. Agile can provide an excellent framework for an ITSM improvement project, helping you to deliver measurable value in small increments rapidly.
- Kanban: This is a methodology for managing work in progress, to optimize and make the use of resources more efficient. Kanban can provide an excellent way to handle the workload of technical people in an IT department, ensuring that you get maximum value from your limited resources.
- PRINCE2 and PMI: Project management methodologies. Every IT department manages lots of projects, and you need formal project management methodologies to ensure you get value for your money.
The COBIT framework, on its highest level, creates a three-dimensional structure consisting of:
- Business requirements (information criteria): integrity, effectiveness, availability, efficiency, compliance, confidentiality, and reliability
- IT resources: infrastructure, applications, information, people and
- IT processes (structured into domains, processes, and people)
The affiliations between these components are exemplified by a so-called COBIT
All the processes are listed under four domains (each abbreviated by two capital letters):
- PO: Plan and Organize.
- AI: Acquire and Implement.
- DS: Deliver and Support.
- ME: Monitor and Evaluate.
COBIT intersection with other frameworks and processes
Several documents in the COBIT library describe in great details, the mapping of COBIT concepts and structure to other frameworks and standards. Some examples of these documents include mapping COBIT to ITIL, CMMI, TOGAF and others.
COBIT places more focus on “what” to do than on “how” to do it. Consequently, it delegates “how-to-do” related issues to other tools, frameworks, and methodologies.
COBIT connects with ITIL primarily in DS and AI domains; however, processes from other domains are also important to an extent. Also, other concepts like information criteria, information resources, and IT governance focus are mapped to some extent.
COBIT /CMMI mapping involves some concepts about process improvement for development activities, the implementation, acquisition, and maintenance of systems and software products.COBIT also widely utilizes original CMMI concept e.g. maturity models.
CMMI maps all processes of the All domain and some processes of remaining domains. Also, other concepts like information criteria and information resources are mapped to some extent.
BMC's Complete Guide to ITIL
- Table of Contents
- Introduction to ITIL ›
- ITIL Foundation Study Guide ›
- ITIL Service Strategy ›
- ITIL Demand Management ›
- ITIL Service Design ›
- ITIL Capacity Management ›
- ITIL Information Security Management ›
- ITIL Service Transition ›
- ITIL Change Management ›
- ITIL Release and Deployment Management›
- ITIL Asset and Configuration Management›
- ITIL Knowledge Management ›
- ITIL Service Operation ›
- ITIL Incident Management ›
- ITIL Service Request Fulfillment›
- ITIL Event Management›
- ITIL Access Management ›
- ITIL Problem Management ›
- ITIL CSI Service Improvement ›
- Introduction to COBIT ›
- IT Governance: An Introduction ›
- ITSM Roles and Responsibilities ›
BMC's Complete Guide To ITIL
- ITIL Processes & Best Practices Introduction
- ITIL Foundation Study Guide
- ITIL Service Strategy
- ITIL Demand Management
- ITIL Service Design
- ITIL Capacity Management
- ITIL Information Security Management
- ITIL Service Transition
- ITIL Change Management
- ITIL Release and Deployment Management
- ITIL Asset and Configuration Management
- ITIL Knowledge Management
- ITIL Service Operation
- ITIL Incident Management
- ITIL Service Request Fulfillment
- ITIL Event Management
- ITIL Access Management
- ITIL Problem Management
- ITIL Continual Service Improvement
- Introduction to COBIT
- IT Governance: An Introduction
- ITIL/ITSM Roles and Responsibilities
ITIL Certification and Training
BMC Education Services offers ITIL certification paths for key roles in your organization. Explore ITIL Training ›
Join the conversation
ITIL® is a registered trade mark of AXELOS Limited
IT Infrastructure Library® is a registered trade mark of AXELOS Limited
ITIL-Compliant ITSM Solutions
Configurable and extensible ITSM platform delivered on premises or in the cloudLearn More | Free Trial
Authoritative source of reference for the IT components, systems, and services that make up your business and IT environmentsLearn More
Complete IT service management built on the Salesforce cloud platformLearn More | Free Trial
FootPrints service desk delivers a user-friendly suite of on-premises tools to automate IT services quickly and easily.Learn More | Free Trial
BMC Client Management automates management of your IT assets to help control costs, maintain compliance, and reduce financial risksLearn More | Free Trial
BMC Digital Workplace (formerly MyIT) modernizes your business with formless requests, context-aware services and crowdsourced collaborationLearn More | Free Trial
BMC Discovery (formerly ADDM) automatically discovers data center inventory, configuration, and relationship data, and maps business applications to the IT infrastructureLearn More | Free Trial