COBIT®

COBIT - Control Objectives for Information and related Technology C OBI T was initially created by the Information Systems Audit & Control Foundation in 1996, and the Governance Institute updated it in 2000 for the release of the 3 rd Edition. Release 4 was published in Release 5 was published in 2011.

C OBI T provides a control and management framework with a set of good practices. It provides the links between IT governance requirements, IT Processes, and IT controls. It is strongly focused on control and less on execution. COBIT®

C OBI T addresses a broad spectrum of duties in IT management, including significant parts of IT service management. It is based on established frameworks and best practices including the Software Engineering Institute’s Capability Maturity Model, ISO 9000, ITIL®, and ISO/IEC COBIT 5 is a culmination of COBIT, ValIT, RiskIT and other ISACA frameworks. COBIT®

For IT to be successful in delivering against business requirements, C OBI T recommends that management put an internal control system or framework in place that enables IT to be successful in delivering against business requirements. It is relatively high level and broad-based, aiming to be generically complete, but not specific. COBIT®

Who’s Involved? IT Governance Institute (ITGI) – Established in 1998 to advance international thinking and standards in directing and controlling an enterprise’s information technology. Information Systems Audit and Control Association (ISACA) – founded in ISACA is an international professional, technical and education organization dedicated to being a recognized global leader in IT governance, security, control and assurance.

What does C OBI T provide? C OBI T provides a number of useful features—many related to the audit practices—and ensures that internal controls are working correctly, including: Common approach for IT functions, the business, and auditors Strong support for IT audit, reducing the cost of audit risk assessment Assistance when implementing effective practices by avoiding the need to ‘reinvent the wheel’

C OBI T Components COBIT provides 37 generic processes that govern the IT resources to deliver information to the business according to the business and governance requirements. Primarily of interest to governance, assurance, control and security professionals, the following are the main elements of COBIT: Principles Process Reference Model Goals and Metrics Practices and Activities Inputs and Outputs Roles and Responsibilities

Comparison with ISO/IEC ISO/IEC covers a subset of processes from the following COBIT process areas (relevant sections of ISO are in parenthesis): Deliver, Service and Support (Section 6: Service Delivery Processes) Build, Acquire and Implement (Section 5: Design and Transition of New or Changed Services) Align, Plan and Organize (Section 4: Service Management System General Requirements)

C OBI T is based on a top-down approach based on a hierarchy of domains, processes, and activities. This has parallels with the ISO/IEC top-down policy, process, procedure hierarchy. In C OBI T, each process is described by using the following information: High-level control objectives Detailed control objectives Information criteria affected by the process IT resources used by the process Typical characteristics depending on the maturity level Inputs and outputs of the process RACI chart of activities against function Goals and metrics Comparison with ISO/IEC 20000

The audit guidance and practices of C OBI T can provide useful input to an organization planning extensive changes and improvements in order to achieve ISO/IEC Comparison with ISO/IEC 20000