ISACA released the latest version of the framework this month and I can tell you without hesitation that this latest structure is one of the best governance and management frameworks to date for the governance and management of enterprise IT. The first two books of COBIT 2019 have been released with additional publications to follow soon. If you haven’t taken a look yet, now is the time.
There will be four key publications in this release and so far we have two available: the COBIT 2019 Framework: Introduction and Methodology, which lays out the structure of the overall framework and COBIT 2019 Framework: Governance and Management Objectives which contains a detailed description of the COBIT Core Model and its 40 governance and management objectives. The last two publications, scheduled to release in December include the COBIT 2019 Design Guide which will offer guidance on how to put COBIT to practical use, and the COBIT 2019 Implementation Guide which will be an updated and more relevant version of the COBIT 5 Implementation Guide.
One of the things I like about ISACA’s approach is that the first two are FREE, and you can download them on the ISACA site here.
Many of you know that I’m a big fan of frameworks, and over the years, they have been developed and promoted to assist enterprises understand, design and adopt IT governance. This new release of COBIT is a more comprehensive information and technology (I&T) governance and management framework. COBIT continues to establish itself as not only a generally accepted framework for I&T governance, but a framework that is aimed at the whole enterprise – which is to say all of the technology and information processing an enterprise uses to achieve its goals. It is important to note that COBIT is not a framework that organizes business process, nor is it not a framework for governing and managing all specific technologies. It focuses on the I&T components required to govern and manage the information that an enterprise receives, processes, stores and disseminates.
What’s new in COBIT 2019?
From my reading in these new publications, there are some major differences between COBIT 2019 and its predecessor COBIT 5. These include modified principles, new focus areas, new design factors, updated goals cascade, modified processes (from 37 to 40), updated performance management, the term “governance components” that replace the COBIT 5 enablers, and my personal favorite, new detailed governance and management objectives. There are so many positive changes that it is difficult to capture all of them in this post, so I’m going to focus on how the new components and governance and management objectives interrelate. You may be wondering how processes fit into this? I’ll walk you though this next.
Let’s start with the governance components.
In order to achieve governance and management objectives, enterprises should establish a governance system built from a number of components. “Components are factors that, individually and collectively, contribute to the good operations of the enterprise’s governance system over I&T.” (COBIT 2019 Framework, Introduction and Methodology ISACA). These components include:
- Processes
- Organizational structures
- Information
- Skills and competencies
- Culture and behavior
- Policies and procedures
- Services, infrastructure and applications
You might remember these as enablers in COBIT 5. I loved the concept of enablers in COBIT 5, but it was very difficult to link these to practical uses in an enterprise. These components are now a key part of the COBIT 2019 framework based on how they are linked to the governance and management objectives.
Governance and management objectives.
One of the key areas of delivering I&T value is to contribute to the achievement of enterprise goals (identified in the modified goals cascade). These objectives are organized in the same domains we’ve seen before:
Each domain has a set of governance and management objectives. A governance or management objective always relates to one process and the related components to achieve the objective. Governance objectives are associated with EDM, while management objectives are associated with APO, BAI, DSS and MEA.
There are 40 governance and management objectives as seen below.
COBIT Core Model, COBIT 2019 Framework, Introduction and Methodology: 2018 ©Information Systems Audit and Control Association, Inc. (ISACA). Appears with permission.
Known as the Process Reference Model, or PRM in COBIT 5, COBIT 2019 identifies this as the COBIT Core Model. In this model, each of the 40 governance and management objectives relates to a process, which is one of our governance components. Now, how do all of these come together?
Using governance and management objectives with components.
As mentioned above, each of the governance and management objectives always relate to one process in the COBIT Core Model, so it should come as no surprise that the Core Model has 40 processes. Here is where this model is powerful. Remember earlier in this post I mentioned that the COBIT 5 enablers were difficult to link to the COBIT model? Well, now we see that each of these components (previously enablers) are used to describe all of the ingredients required to meet the objective.
If you go to the COBIT 2019 Framework: Governance and Management Objectives publication, each of the governance and management objectives, aka processes, is clearly described using the governance components as illustrated below.
Now that I’ve explained how these are linked, let’s look at an example of how a governance or management objective is described. I will use BAI06 – Managed IT Changes as an example.
High level information
This includes the domain name, focus area, governance or management objective name, description and purpose statement.
BAI06, COBIT 2019 Framework, Governance and Management Objectives: 2018 ©Information Systems Audit and Control Association, Inc. (ISACA). Appears with permission.
Goals cascade
This includes applicable alignment goals (formerly known as IT-related goals), enterprise goals, and example metrics.
BAI06, COBIT 2019 Framework, Governance and Management Objectives: 2018 ©Information Systems Audit and Control Association, Inc. (ISACA). Appears with permission.
Related components (remember, there are seven of these and you may remember these as enablers in COBIT 5
- Processes
Since every governance or management objective relates to one process, this is key. Within the “Process” component, not much has changed. We still see a set of management practices, example metrics, and activities as well as related guidance. Remember that related guidance is now provided for EACH of the governance components. One of the major additions to COBIT 2019 is that each activity is associated with a Capability Level.
BAI06, COBIT 2019 Framework, Governance and Management Objectives: 2018 ©Information Systems Audit and Control Association, Inc. (ISACA). Appears with permission.
2. Organizational Structures.
The different levels of involvement can be divided into responsible and accountable levels. Enterprises should review levels of responsibility and accountability, consulted and informed, and update roles and organizational structures in the chart according to the enterprise’s context, priorities and terminology. Suggesting responsible and accountable roles only is different than in COBIT 5; COBIT 5 included consulted and informed. Since consulted and informed roles depends on organizational context and priorities, they are not included in the new COBIT guidance.
BAI06, COBIT 2019 Framework, Governance and Management Objectives: 2018 ©Information Systems Audit and Control Association, Inc. (ISACA). Appears with permission.
3. Information Flows and Items.
This governance component provides guidance on the information flows and items linked with process practices. Each practice includes inputs and outputs, with indications of origin and destination.
BAI06, COBIT 2019 Framework, Governance and Management Objectives: 2018 ©Information Systems Audit and Control Association, Inc. (ISACA). Appears with permission.
4. People, Skills and Competencies.
This component identifies human resources and skills required to achieve the governance or management objective.
BAI06, COBIT 2019 Framework, Governance and Management Objectives: 2018 ©Information Systems Audit and Control Association, Inc. (ISACA). Appears with permission.
5. Culture and Behavior.
This component provides detailed guidance on desired cultural elements within the organization that support the achievement of a governance or management objective.
BAI06, COBIT 2019 Framework, Governance and Management Objectives: 2018 ©Information Systems Audit and Control Association, Inc. (ISACA). Appears with permission.
6. Policies and Procedures.
This component provides detailed guidance on desired cultural elements within the organization that support the achievement of a governance or management objective.
BAI06, COBIT 2019 Framework, Governance and Management Objectives: 2018 ©Information Systems Audit and Control Association, Inc. (ISACA). Appears with permission.
7. Services, Infrastructure and Applications.
This component provides detailed guidance on third-party services, types of infrastructure and categories of applications that can be applied to support the achievement of a governance or management objective. Guidance is generic (to avoid naming specific vendors or products).
Related guidance
For each governance component, COBIT 2019 identifies the applicable standards, frameworks and compliance requirements that can be referenced. It also includes detailed references where available. Related guidance is found under each of the applicable components – this is different from COBIT 5 where this was applied only at the process level.
Sound confusing? Maybe this short video will help you understand how COBIT 2019 displays each governance and management objective in the official publication:
Keep an eye out for more of my perspectives on the new COBIT 2019 framework in upcoming blogs. As always, your thoughts and perspectives are appreciated!