COBIT

Control Objectives for Information and Related Technology (COBIT) is a framework created by ISACA for information technology (IT) management and IT governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.

Overview

ISACA first released COBIT in 1996; ISACA published the current version, COBIT 5, in 2012.

COBIT aims "to research, develop, publish and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers, IT professionals and assurance professionals".^[1]

COBIT, initially an acronym for "Control objectives for information and related technology" (though before the release of the framework people talked of "CobiT" as "Control Objectives for IT"^[2]^[3]), defines a set of generic processes for the management of IT. The framework defines each process together with process inputs and outputs, key process-activities, process objectives, performance measures and an elementary maturity model.

The framework supports governance of IT by defining and aligning business goals with IT goals and IT processes.

COBIT provides a set of recommended best practices for governance and control process of information systems and technology with the essence of aligning IT with business. COBIT 5 consolidates COBIT4.1, Val IT and Risk IT into a single framework acting as an enterprise framework aligned and interoperable with TOGAF and ITIL.

The COBIT framework

The business orientation of COBIT consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement, and identifying the associated responsibilities of business and IT process owners.

The process focus of COBIT 4.1 is illustrated by a process model that subdivides IT into four domains (Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate) and 34 processes in line with the responsibility areas of plan, build, run and monitor. It is positioned at a high level and has been aligned and harmonized with other, more detailed, IT standards and good practices such as COSO, ITIL, BiSL, ISO 27000, CMMI, TOGAF and PMBOK. COBIT acts as an integrator of these different guidance materials, summarizing key objectives under one umbrella framework that link the good practice models with governance and business requirements.

The COBIT 4.1 framework specification can be obtained as a complimentary PDF at the ISACA download website. (Free self-registration may be required.)

COBIT 5 was released in April 2012.^[4] COBIT 5 consolidates and integrates the COBIT 4.1, Val IT 2.0 and Risk IT frameworks, and draws from ISACA's IT Assurance Framework (ITAF) and the Business Model for Information Security (BMIS). It aligns with frameworks and standards such as Information Technology Infrastructure Library (ITIL), International Organization for Standardization (ISO), Project Management Body of Knowledge (PMBOK), PRINCE2 and The Open Group Architecture Framework (TOGAF).

Releases

COBIT has had five major releases:

In 1996, the first edition of COBIT was released.
In 1998, the second edition added "Control".
In 2000, the third edition was released "Management Guidelines".
- In 2003, an on-line version became available.
In December 2005, the fourth edition was initially released.
- In May 2007, the 4.1 revision was released.
COBIT 5 was released in June 2012. It consolidates and integrates the COBIT 4.1, Val IT 2.0 and Risk IT frameworks, and also draws significantly from the Business Model for Information Security (BMIS) and ITAF.
- In December 2012, one add-on document was released, COBIT 5 for information security.^[5]
- In June 2013, a second add-on document was released, COBIT 5 for assurance.^[6]

Components

The COBIT components include:

Framework: Organize IT governance objectives and good practices by IT domains and processes, and links them to business requirements
Process descriptions: A reference process model and common language for everyone in an organization. The processes map to responsibility areas of plan, build, run and monitor.
Control objectives: Provide a complete set of high-level requirements to be considered by management for effective control of each IT process.
Management guidelines: Help assign responsibility, agree on objectives, measure performance, and illustrate interrelationship with other processes
Maturity models: Assess maturity and capability per process and helps to address gaps.

Other ISACA Publications based on the COBIT framework include:

Board Briefing for IT Governances, 2nd Edition
COBIT and Application Controls
COBIT Control Practices, 2nd Edition
IT Assurance Guide: Using COBIT
Implementing and Continually Improving IT Governance
COBIT Quickstart, 2nd Edition
COBIT Security Baseline, 2nd Edition
IT Control Objectives for Sarbanes-Oxley, 2nd Edition
IT Control Objectives for Basel II
COBIT User Guide for Service Managers
COBIT Mappings (to ISO/IEC 27002, CMMI, ITIL, TOGAF, PMBOK etc.)
COBIT Online

COBIT as a Tool for Regulatory Compliance

Regulatory requirements, e.g. those imposed by the Sarbanes-Oxley Act, frequently require organisations to have frameworks in place for risk mitigation, monitoring and control.

COBIT provides an attractive option to meet such requirements.

Sarbanes-Oxley

Companies that are publicly traded in the US are subject to the Sarbanes-Oxley Act of 2002. According to the IIA, COBIT is one of the most commonly used frameworks to comply with Sarbanes-Oxley.^[7]

King III

Companies that are publicly traded in South Africa are subject to the King III code of corporate governance.

According to Greetha Steenkamp of the University of Stellenbosch,^[8] COBIT is well aligned to the principles of King III, so COBIT can be used effectively to meet the IT governance framework requirements of King III.

References

ISACA Custodians of COBIT
COBIT education provided by ISACA
ISO/IEC 20000 international standard for IT Service Management
ISO/IEC 27000 Information Security Management Systems standards
Wood, David J. 2010. "Assessing IT Governance Maturity: The Case of San Marcos, Texas". Applied Research Projects, Texas State University-San Marcos.
The Institute of Internal Auditors' List of most commonly used Internal Control Frameworks
http://ecommons.txstate.edu/arp/345 (This paper applies a modified COBIT framework to a medium-sized city).
Checklist/cheatsheet summarizing Cobit 5

Notes

↑ ITGI. "COBIT 4.1 Executive Summary" (PDF). COBIT 4.1 Executive Summary. ITGI.
↑ Katsikas, Sokratis; Gritzalis, Dimitris, eds. (1996). Information Systems Security: Facing the Information Society of the 21st Century. IFIP Advances in Information and Communication Technology. Springer. p. 358. ISBN 9780412781209. Retrieved 2013-05-24. The McCumber model has great similarities with the CobiT - Control Objectives for IT - framework (CobiT 1995).
↑ CobiT: Control Objectives for Information Technology. CobiT Framework, Exposure Draft, August 1995, CobiT Steering Committee; the Information Systems Audit and Control Foundation Research Board and the Information Systems Audit and control Foundation Standards Board. Cited in: Katsikas, Sokratis; Gritzalis, Dimitris, eds. (1996). Information Systems Security: Facing the Information Society of the 21st Century. IFIP Advances in Information and Communication Technology. Springer. p. 362. ISBN 9780412781209. Retrieved 2013-05-24.
↑ "ISACA Issues COBIT 5 Governance Framework". ISACA.org. Retrieved 2013-05-04.
↑ ITGI. "COBIT 5 for Information Security". COBIT 5 for information security. ITGI.
↑ ITGI. "COBIT 5 for Assurance". COBIT 5 for assurance. ITGI.
↑ IIA. "common internal control frameworks" (PDF). common internal control frameworks. IIA.
↑ Steenkamp 2009

Authority control	GND: 7544194-9

This article is issued from Wikipedia - version of the Tuesday, November 17, 2015. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.