Management, compliance & auditing

Guide to COBIT 2019

Dan Virgillito
May 14, 2019 by
Dan Virgillito

The Information Systems Audit and Control Association (ISACA) has recently introduced the first update for its COBIT 5 framework. The updated version, COBIT 2019, will allow organizations to develop, implement and organize governance strategies that are more collaborative, flexible and address new and evolving technology.

Many companies, however, aren’t familiar with COBIT or the advantages it can provide to their business. Why should organizations care what this framework can do for them? The answer is that it offers an end-to-end view of the governance of corporate IT, reflecting the central role of technology and information for businesses of all sizes.

In this article, we’ll talk about COBIT 2019 in detail. By the time you finish reading this article, you’ll be able to give comprehensive answers to questions such as:

  • What is COBIT?
  • What is COBIT 2019?
  • What are the key components of COBIT 2019?
  • What are some differences between COBIT 2019 and COBIT 5?

Let’s get started.

What is COBIT?

COBIT is the acronym for Control Objectives for Information and Related Technology. ISACA developed this framework for IT management and governance. It was built to be a supportive tool for stakeholders and helps in bridging the vital gap between business risks, technical problems and control requirements. Today, COBIT is used by IT process managers in a variety of industries to ensure control, reliability and quality of information systems in their enterprise.

Part of its success comes from the fact that it has been frequently updated to meet the ever-evolving needs of enterprise IT governance. For example, after the initial introduction of COBIT in 1996, ISACA introduced a second version to expand the framework outside the initial auditing community. In the 2000s, COBIT 3 brought in the IT information governance and management strategies you see in the framework today.

A fourth version was introduced in 2005, followed by a 4.1 release in 2007. These updates contained more information on governance regarding communication and information technology. The last version to be released (before COBIT 2019) was COBIT 5 in 2012, which included more information for enterprises regarding information governance and risk management. COBIT 5 could also integrate with other renowned standards, resources and frameworks, including Risk IT, ISO 27000 and CMMI.

The various elements of COBIT include:

  • Framework: Helps to organize the aims of IT governance and link business requirements
  • Process Descriptions: Includes planning, development, activation and management of all IT processes
  • Control Objectives: Offers a comprehensive list of requirements for effective IT business control
  • Maturity Models: Allows enterprises to access the capacity and maturity of all processes
  • Management Guidelines: Helps to streamline the assigning of responsibilities

In a nutshell, COBIT gives companies the flexibility to optimize risks and manage security while making sure that IT is able to conform to industry protocols and compliance initiatives.

What is COBIT 2019?

COBIT 2019 addresses the modern technologies, trends and security requirements for organizations. It includes other frameworks such as TOGAF, CMMI and ITIL, which makes it an ideal framework for unifying processes across a whole enterprise. New theories and concepts have been introduced in the latest COBIT update, which now includes 40 objectives for building a governance and management program.

The aim behind the introduction of this framework is to provide companies with greater adaptability while tailoring a governance procedure. Like other similar frameworks, COBIT interlinks IT objectives and core business objections to bridge gaps between specific silos within an enterprise.

Per ISACA, COBIT 2019 was refreshed to include:

  • Design factors and focus areas that offer more transparency on building a governance system
  • Improved compliance with global frameworks
  • Consistent updates on a rolling basis
  • An open-source model that enables feedback from the external governance community for quicker enhancements
  • Better instructions and a broader toolkit to assist enterprises when creating a top-notch governance system
  • An improved tool for measuring CMMI alignment and IT performance
  • Greater support for decision-making

It also introduces the concept of the focus area, which details a specific governance issue or topic. Enterprises can include or remove focus areas, depending on the applicability to their situation. These can include digital transformation, small and medium enterprises, cybersecurity and privacy.

What are the key components of COBIT 2019?

The latest COBIT release has four key elements:

  • COBIT 2019 Framework — Introduction and Methodology: Outlines the structure of the entire framework
  • COBIT 2019 Framework — Governance and Management Objectives: Includes a comprehensive description of the core model and its 40 objectives for information management and governance
  • COBIT 2019 Design Guide: Provides instructions on how to implement the framework on a practical basis
  • COBIT 2019 Implementation Guide: Offers best practices on how to integrate COBIT 2019 with your current COBIT 5 framework

Overall, COBIT 2019 is designed to guide organizations in building a governance strategy while also enabling them to tailor a “best-fit” approach accurately. Previously known as “enablers” in the previous COBIT framework, these elements better explain what enterprises need to set up a highly effective governance system.

In addition to all that, the flexibility of COBIT 2019 will enable companies to align all of their current frameworks to understand how each of them fit into the bigger strategy. Consequently, it can help organizations to analyze the performance of existing frameworks when it comes to risk management and information security compliance.

What are some differences between COBIT 2019 and COBIT 5?

COBIT 5, as previously mentioned, focused on five main elements that seemed to be unique from one another. COBIT 2019, however, concentrates on the way these elements work together. For instance, every element (also known as a core process or component) contains several governance principles as well as how to effectively set up a control system.

What that explains is that rather than have two distinct sections that a user needs to integrate on their own, COBIT offers a list that starts with objectives and then demonstrates how to set them up in an IT environment. It also demonstrates how to integrate them into the core functions of an organization.

It’s also worth mentioning that an open-source model will grant the global governance communities the ability to influence future releases by sharing files, offering feedback and advising enhancements to the framework in real-time, with additional revolutions seeded on a rolling basis. This didn’t apply to COBIT 5.

Another noticeable change in COBIT 2019 is the introduction of new management objectives. For example, users will be introduced to an APO14 framework that has “data management” as the objective. In addition, several terms have changed in COBIT 2019. For instance, Process Guidance is now referred to as Governance/Management Objectives for the improvement of the integration of various components.

Lastly, COBIT 2019 gives C-level executives a way to showcase the ROI of information technology projects and how it can help accomplish key business objectives.

Final thoughts

For every governance component, COBIT 2019 pinpoints the applicable frameworks, standards and compliance needs that can be referenced. It also contains informative references where appropriate. With tactical objectives, enterprises can implement the latest COBIT framework to enhance data security and remove the silos within the IT and business goals and help to increase a company’s market value.

For more information on COBIT 2019, go to www.isaca.org/cobit or watch clips about its newly released features.

Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.