COBIT®

COBIT® - Control Objectives for Information and related Technology. C OBI T was initially created by the Information Systems Audit & Control Foundation in 1996, and the Governance Institute updated it in 2000 for the release of the 3 rd Edition. Release 4 was published in 2005.

C OBI T provides a control and management framework with a set of good practices. It provides the links between IT governance requirements, IT processes and IT controls. It is strongly focused on control and less on execution. COBIT®

C OBI T addresses a broad spectrum of duties in IT management, including significant parts of IT service management. It is based on established frameworks and best practices including the Software Engineering Institute’s Capability Maturity Model, ISO 9000, ITIL® and ISO/IEC COBIT®

For IT to be successful in delivering against buisness requirements, C OBI T recommends that management put an internal control system or framework in place that enables IT to be successful in delivering against business requirements. It is relatively high level and broad –based, aiming to be generically complete, but not specific. COBIT®

Who’s Involved IT Governance Institute (ITGI) – established 1998 to advance international thinking and standards in directing and controlling an enterprise’s information technology. The Information Systems Audit and Control Association (ISACA) – founded ISACA is an international professional, technical and education organisation dedicated to being a recognised global leader in IT governance, security, control and assurance.

What does C OBI T provide? C OBI T provides a number of useful features, many related to the audit practices and ensuring internal controls are working correctly. Including: Common approach for IT functions, the business and auditors; Strong support for IT audit, reducing the cost of audit risk assessment; Assistance when implementing effective practices by avoiding the need to ‘re-invent the wheel’.

C OBI T Components COBIT provides 34 generic processes that manage the IT resources to deliver information to the business according to the business and governance requirements. Primarily of interest to governance, assurance, control and security professionals, the following are the main elements of COBIT: Executive summary Framework Control objectives Control practices Management guidelines Audit guidelines IT Governance implementation guide.

Comparison with ISO/IEC (1) In the context of IT governance C OBI T has a focus on the Plan-Do-Check-Act (PDCA) cycle. ISO/IEC includes the PDCA cycle but also gives emphasis to each service management process, the integration of processes and the relationship between PDCA cycle and service management processes.

C OBI T is based on a top-down approach based on a hierarchy of domains, processes and activities. This has parallels with the ISO/IEC top-down policy, process, procedure hierarch. In C OBI T each process is described by using the following information: High-level control objectives; Detailed control objectives; Information criteria affected by the process; IT resources used by the process; Typical characteristics depending on the maturity level; Inputs and outputs of the process; RACI chart of activities against function Goals and metrics. Comparison with ISO/IEC (2)

C OBI T processes in the delivery and support domain are covered in a comprehensive manner by ISO/IEC (clauses 6-10). There is also some overlap between C OBI T processes, tasks, duties of the domains PO, AI and ME in ISO/IEC (clauses 3-5 and 7.3, 9.2). The audit guidance and practices of C OBI T can provide useful input to an organisation planning extensive changes and improvements in order to achieve ISO/IEC Comparison with ISO/IEC (3)