What is COBIT?
Learn about Control Objectives for Information and Related Technologies, or COBIT, the goals of the framework, the benefits, how it can help companies meet compliance, and more in Data Protection 101, our series on the fundamentals of information security.
How you do business is largely shaped by IT and technology. Technologies such as big data, cloud computing, mobility, and social media generate high volumes of data. This data can put enterprises ahead of the competition, but it also gives business a lot of challenges as well as data governance and management problems.
Definition of Control Objectives for Information and Related Technologies
Control Objectives for Information and Related Technologies, more popularly known as COBIT, is a framework that aims to help organizations that are looking to develop, implement, monitor, and improve IT governance and information management.
COBIT was established by ISACA, which stands for Information Systems Audit and Control Association. Both ISACA and the IT Governance Institute (ITGI) publish it.
Evolution of COBIT
If you are wondering why the current name is “COBIT” when it started out as "Control Objectives for Information and Related Technology" or COBIT, then you should know how this framework started out.
COBIT was first published in the mid-1990s. Back then, COBIT was mainly focused on auditing, specifically helping financial auditors navigate IT environments. It has since gone beyond auditing. In its third version, ISACA introduced management guidelines into COBIT.
In version 4, ICT governance was also added to the set of guidelines. The current version, which was released in 2014, placed more importance on information governance and its role in the success of the business, as well as enterprise risk management.
5 Core Principles of COBIT 5
The latest version of COBIT is hinged upon five principles:
1. Meeting the needs of key stakeholders.
2. End-to-end and comprehensive coverage of the entire enterprise.
3. Integrating several frameworks into one unified framework.
4. Making way for a holistic approach to running your business.
5. Separating management from governance.
What is NIST Compliance? (Checklist, Definition, & More)
Goals of the COBIT Framework
With four versions already out, ISACA still felt the need to update to COBIT 5. The latest iteration brings together the guidelines and principles outlined in COBIT 4, as well as Val IT 2.0 and Risk IT Frameworks. COBIT 5 also references both the Business Model for Information Security 5 and ISACA's IT Assurance Framework.
According to ISACA, the improvements and updates to COBIT 5 are meant to:
• Make information sharing more streamlined across and within an organization.
• Achieve the business goals by mixing strategy and IT together.
• Minimize risk related to, and have more control over, information security.
• Optimize various costs associated with technology and IT.
• Integrate more recent research findings by ISACA into the COBIT framework.
This means that companies that utilize several frameworks, such as CMI, ITIL or ISO/IEC 2000 as well as those who have to worry about regulatory guidelines will have an easier time with their IT governance.
What are the benefits of COBIT 5? There are several ways that COBIT 5 would be beneficial to different businesses and different functions. Aside from the ability to supervise and manage your information security more effectively, that is.
For instance, COBIT 5 can help audit and assurance companies manage vulnerabilities as well as ensure compliance.
In risk management, COBIT forces you to assess and then improve on enterprise risk. It is also a good way to keep ahead of the ever-changing regulatory requirements and compliance.
COBIT 5 Framework
COBIT 5 has several components including:
• Main Framework. Lays down guidelines, objectives, and good practices related to IT governance covering every IT domain and process. These are then linked to needs and requirements of the business. The aim of the main framework is to align business goals with IT. This allows IT personnel to get a full appreciation of the company's goals, while also helping the C-suite and executives understand their IT aims.
• Process Descriptions. This component helps an organization to have a reference process model, and conversely, a common language to be used by everybody in the organization. These descriptions cover everything – from planning, creating, executing, and even monitoring all processes involved in IT. Process descriptions help everyone in the company easily understand the processes, their descriptions, and their terminology.
• Control Objectives. This would be where you would find a complete list of requirements that management has earlier pinpointed as necessary for effective control of IT processes. This particular section can help improve all IT processes.
• Management Guidelines. These guidelines detail who would be responsible for what tasks, as well as how to measure the performance of the company in implementing COBIT 5. These guidelines can also help stakeholders to agree on similar objectives, as well as suggestions on how the framework works with other IT frameworks.
• Maturity Models. These assess the organization's maturity and how each of the IT processes will be able to cope up with any growth. If gaps are found, the maturity models can help businesses plug gaps.
ISACA offers its own COBIT 5 certification, allowing you to learn more about the framework. You can learn, among other things:
• Everything about COBIT 5, as well as its components.
• Applying COBIT 5 in every situation.
• Understanding how COBIT addresses the need to have governance guidelines.
• Learning how to use COBIT 5 with other frameworks and best practices.
ISACA offers two paths.
1. The Implementation Path will focus more on the application of COBIT 5 to different business problems.
2. The ASSESSOR Path will teach participants how to review their business processes and see what needs to be changed, among other things.
CIOs, IT directors and managers, risk professionals, audit committee members, and process owners should think about getting certified with COBIT.
ISACA has made documents, videos, training, and publications available on their website if you need help implementing COBIT 5.