for Information and related Technology (COBIT) was first released in 1996; the
current version, COBIT 5, was published in 2012. Its mission is “to research, develop,
publish and promote an authoritative, up-to-date, international set of generally
accepted information technology control objectives for day-to-day use by business
managers, IT professionals and assurance professionals.
COBIT, initially an acronym for 'Control OBjectives for Information and related
Technology', defines a set of generic processes to manage IT. Each process is defined
together with process inputs and outputs, key process activities, process objectives,
performance measures and an elementary maturity model. The framework supports governance
of IT by defining and aligning business goals with IT goals and IT processes
The Control OBjectives for Information and related Technology (COBIT) Framework.
The framework provides good practices across a domain and process framework. The
business orientation of COBIT consists of linking business goals to IT goals, providing
metrics and maturity models to measure their achievement, and identifying the associated
responsibilities of business and IT process owners.
The process focus of COBIT 4.1 is illustrated by a process model that subdivides
IT into four domains (Plan and Organize, Acquire and Implement, Deliver and Support,
and Monitor and Evaluate) and 34 processes in line with the responsibility areas
of plan, build, run and monitor. It is positioned at a high level and has been aligned
and harmonized with other, more detailed, IT standards and good practices such as
COSO, ITIL, ISO 27000, CMMI, TOGAF and PMBOK. COBIT acts as an integrator of these
different guidance materials, summarizing key objectives under one umbrella framework
that link the good practice models with governance and business requirements.
Why Use Control OBjectives for Information and related Technology (COBIT)
Because COBIT is business-oriented, using it to understand IT control objectives
to deliver IT value and manage IT-related business risks is straightforward:
Start with business objectives in the framework.
Select the IT processes and control objectives appropriate to the enterprise
from the control objectives.
Operate from the business plan.
Assess the status of the organization, identify critical activities leading
to success and measure performance in reaching enterprise goals with the management
Assess procedures and results with the IT Assurance Guide.
The Purpose Of Control OBjectives for Information and related Technology (COBIT)
The purpose of COBIT is to provide management and business process owners with an
information technology (IT) governance model that helps in delivering value from
IT and understanding and managing the risks associated with IT. COBIT helps bridge
the gaps amongst business requirements, control needs and technical issues. It is
a control model to meet the needs of IT governance and ensure the integrity of information
and information systems.
Who is using Control OBjectives for Information and related Technology (COBIT)
COBIT is used globally by those who have the primary responsibilities for business
processes and technology, those who depend on technology for relevant and reliable
information, and those providing quality, reliability and control of information
Control OBjectives for Information and related Technology (COBIT) is IT process-oriented
and, therefore, addresses itself in the first place to the owners of these processes.
Referring to Porter's Generic Business Model, core processes (e.g., procurement,
operations, marketing, sales) are discussed, as well as support processes (e.g.,
human resources, administration, information technology). As a consequence, COBIT
is not only to be applied by the IT department, but by the business as a whole.
This approach stems from the fact that in today's enterprises, the process owners
are responsible for the performance of their processes, of which IT has become an
integral part. In other words, they are empowered but also accountable. As a consequence,
business process owners bear the final responsibility for the information technology
as deployed within the confines of their business process. Of course, they will
make use of services provided by specialized parties such as the traditional IT
department or the third-party service provider.
Control OBjectives for Information and related Technology (COBIT) provides business
process owners with a framework, which should enable them to control all the different
activities underlying IT deployment. As a result, on this basis they can gain reasonable
assurance that IT will contribute to the achievement of their business objectives.
Moreover, COBIT provides business process owners with a generic communication framework
to facilitate understanding and clarity amongst the different parties involved in
the delivery of IT services.
The Control OBjectives for Information and related Technology (COBIT) framework
has been structured into 34 IT processes clustering interrelated life cycle activities
or interrelated discrete tasks. The process model was preferred for several reasons.
First, a process by its nature is results-oriented in the way that it focuses on
the final outcome while optimizing the use of resources. The way these resources
are physically structured, e.g., people/skills in departments, is less relevant
in this perspective. Second, a process, especially its objectives, is more permanent
in nature and does not risk change as often as an organizational entity. Third,
the deployment of IT cannot be confined to a particular department and involves
users and management as well as IT specialists. In this context, the IT process
remains, nevertheless, the common denominator.
The Future Direction of Control OBjectives for Information and related Technology
As with any comprehensive and groundbreaking research, COBIT will be updated to
a new version approximately every three years, with minor enhancements in between.
This will ensure that the model and the framework remain comprehensive and valid.
The validation will also entail ensuring that the primary reference materials have
not changed, or, if they have, those changes are reflected in the document.
COBIT's maturity models useful to CMMI organizations
Even though the approaches are different, an enterprise that has already adopted
and applied CMMI can use COBIT to cover areas not addressed by CMMI, and will be
able to use the CMMI experience to apply COBIT's models to whatever formal level
they require, in areas not covered by the scope that was defined for the CMMI assessment.
For example, an advanced software development shop could broaden its maturity assessment
to apply it to their entire IT function, including other important COBIT IT processes.
The mapping publication, available from the ITGI, showing how COBIT compares to
CMMI, would be a very helpful resource, but the enterprise would need to devise
its own CMMI-like assessment approach using COBIT's generic guidance as a starting
point, or follow the suggested approach in the ITGI publication—IT Governance Implementation
Guide: Using COBIT and Val IT, 2nd Edition. In time, it is expected that the CMMI
guidance will broaden into other areas such as service management, which would be
equivalent to the ITIL processes and principally the COBIT DS domain.