COBIT®

COBIT®

COBIT - Control Objectives for Information and related Technology

COBIT was initially created by the Information Systems Audit &

Control Foundation in 1996, and the Governance Institute

updated it in 2000 for the release of the 3rd Edition. Release 4

was published in 2005. Release 5 was published in 2011.

COBIT provides a control and management framework with a

set of good practices.

It provides the links between IT governance requirements, IT

Processes, and IT controls. It is strongly focused on control

and less on execution.

COBIT®

COBIT addresses a broad spectrum of duties in IT

management, including significant parts of IT service

management.

It is based on established frameworks and best practices

including the Software Engineering Institute’s Capability

Maturity Model, ISO 9000, ITIL®, and ISO/IEC 17799.

COBIT 5 is a culmination of COBIT, ValIT,

RiskIT and other ISACA frameworks.

COBIT®

For IT to be successful in delivering against business

requirements, COBIT recommends that management put an

internal control system or framework in place that enables IT to

be successful in delivering against business requirements. It is

relatively high level and broad-based, aiming to be generically

complete, but not specific.

COBIT®

Who’s Involved?

• IT Governance Institute (ITGI) – Established in 1998 to advance international thinking and standards in directing and controlling an enterprise’s information technology.

• Information Systems Audit and Control Association (ISACA) – founded in 1969 - ISACA is an international professional, technical and education organization dedicated to being a recognized global leader in IT governance, security, control and assurance.

What does COBIT provide?

COBIT provides a number of useful features—many related to

the audit practices—and ensures that internal controls are working correctly, including:

• Common approach for IT functions, the business, and auditors

• Strong support for IT audit, reducing the cost of audit risk assessment

• Assistance when implementing effective practices by avoiding the need to ‘reinvent the wheel’

COBIT Components

COBIT provides 37 generic processes that govern the IT resources to deliver information to the business according to the business and governance requirements. Primarily of interest to governance, assurance, control and security professionals, the following are the main elements of COBIT:

• Principles• Process Reference Model• Goals and Metrics• Practices and Activities• Inputs and Outputs• Roles and Responsibilities

Comparison with ISO/IEC 20000

ISO/IEC 20000 covers a subset of processes from the following COBIT process areas (relevant sections of ISO are in parenthesis):

• Deliver, Service and Support (Section 6: Service Delivery Processes)

• Build, Acquire and Implement (Section 5: Design and Transition of New or Changed Services)

• Align, Plan and Organize (Section 4: Service Management System General Requirements)

COBIT is based on a top-down approach based on a hierarchy of

domains, processes, and activities. This has parallels with the ISO/IEC

20000 top-down policy, process, procedure hierarchy.

In COBIT, each process is described by using the following information:

• High-level control objectives• Detailed control objectives• Information criteria affected by the process• IT resources used by the process• Typical characteristics depending on the maturity level• Inputs and outputs of the process• RACI chart of activities against function• Goals and metrics

Comparison with ISO/IEC 20000

The audit guidance and practices of COBIT can provide useful

input to an organization planning extensive changes and

improvements in order to achieve ISO/IEC 20000.

Comparison with ISO/IEC 20000