A NEW COBIT® IS IN TOWN AND I REALLY LIKE HOW THIS LOOKS.

ISACA released the latest version of the framework this month and I can tell you without hesitation that this latest structure is one of the best governance and management frameworks to date for the governance and management of enterprise IT. The first two books of COBIT 2019 have been released with additional publications to follow soon. If you haven’t taken a look yet, now is the time.

There will be four key publications in this release and so far we have two available: the COBIT 2019 Framework: Introduction and Methodology, which lays out the structure of the overall framework and COBIT 2019 Framework: Governance and Management Objectives which contains a detailed description of the COBIT Core Model and its 40 governance and management objectives. The last two publications, scheduled to release in December include the COBIT 2019 Design Guide which will offer guidance on how to put COBIT to practical use, and the COBIT 2019 Implementation Guide which will be an updated and more relevant version of the COBIT 5 Implementation Guide.

One of the things I like about ISACA’s approach is that the first two are FREE, and you can download them on the ISACA site here.

Many of you know that I’m a big fan of frameworks, and over the years, they have been developed and promoted to assist enterprises understand, design and adopt IT governance. This new release of COBIT is a more comprehensive information and technology (I&T) governance and management framework. COBIT continues to establish itself as not only a generally accepted framework for I&T governance, but a framework that is aimed at the whole enterprise – which is to say all of the technology and information processing an enterprise uses to achieve its goals. It is important to note that COBIT is not a framework that organizes business process, nor is it not a framework for governing and managing all specific technologies. It focuses on the I&T components required to govern and manage the information that an enterprise receives, processes, stores and disseminates.

What’s new in COBIT 2019?

From my reading in these new publications, there are some major differences between COBIT 2019 and its predecessor COBIT 5. These include modified principles, new focus areas, new design factors, updated goals cascade, modified processes (from 37 to 40), updated performance management, the term “governance components” that replace the COBIT 5 enablers, and my personal favorite, new detailed governance and management objectives. There are so many positive changes that it is difficult to capture all of them in this post, so I’m going to focus on how the new components and governance and management objectives interrelate. You may be wondering how processes fit into this? I’ll walk you though this next.

Let’s start with the governance components.

In order to achieve governance and management objectives, enterprises should establish a governance system built from a number of components. “Components are factors that, individually and collectively, contribute to the good operations of the enterprise’s governance system over I&T.” (COBIT 2019 Framework, Introduction and Methodology ISACA). These components include:

  • Processes
  • Organizational structures
  • Information
  • Skills and competencies
  • Culture and behavior
  • Policies and procedures
  • Services, infrastructure and applications

You might remember these as enablers in COBIT 5. I loved the concept of enablers in COBIT 5, but it was very difficult to link these to practical uses in an enterprise. These components are now a key part of the COBIT 2019 framework based on how they are linked to the governance and management objectives.

Governance and management objectives.

One of the key areas of delivering I&T value is to contribute to the achievement of enterprise goals (identified in the modified goals cascade).  These objectives are organized in the same domains we’ve seen before:

Each domain has a set of governance and management objectives. A governance or management objective always relates to one process and the related components to achieve the objective. Governance objectives are associated with EDM, while management objectives are associated with APO, BAI, DSS and MEA.

There are 40 governance and management objectives as seen below.

COBIT Core Model, COBIT 2019 Framework, Introduction and Methodology: 2018 ©Information Systems Audit and Control Association, Inc. (ISACA). Appears with permission.

Known as the Process Reference Model, or PRM in COBIT 5, COBIT 2019 identifies this as the COBIT Core Model. In this model, each of the 40 governance and management objectives relates to a process, which is one of our governance components. Now, how do all of these come together?

Using governance and management objectives with components.

As mentioned above, each of the governance and management objectives always relate to one process in the COBIT Core Model, so it should come as no surprise that the Core Model has 40 processes. Here is where this model is powerful. Remember earlier in this post I mentioned that the COBIT 5 enablers were difficult to link to the COBIT model? Well, now we see that each of these components (previously enablers) are used to describe all of the ingredients required to meet the objective.

If you go to the COBIT 2019 Framework: Governance and Management Objectives publication, each of the governance and management objectives, aka processes, is clearly described using the governance components as illustrated below.

Now that I’ve explained how these are linked, let’s look at an example of how a governance or management objective is described. I will use BAI06 – Managed IT Changes as an example.

High level information

This includes the domain name, focus area, governance or management objective name, description and purpose statement.

BAI06, COBIT 2019 Framework, Governance and Management Objectives: 2018 ©Information Systems Audit and Control Association, Inc. (ISACA). Appears with permission.

Goals cascade

This includes applicable alignment goals (formerly known as IT-related goals), enterprise goals, and example metrics.

BAI06, COBIT 2019 Framework, Governance and Management Objectives: 2018 ©Information Systems Audit and Control Association, Inc. (ISACA). Appears with permission.

Related components (remember, there are seven of these and you may remember these as enablers in COBIT 5

  1.  Processes

Since every governance or management objective relates to one process, this is key. Within the “Process” component, not much has changed. We still see a set of management practices, example metrics, and activities as well as related guidance. Remember that related guidance is now provided for EACH of the governance components. One of the major additions to COBIT 2019 is that each activity is associated with a Capability Level.

BAI06, COBIT 2019 Framework, Governance and Management Objectives: 2018 ©Information Systems Audit and Control Association, Inc. (ISACA). Appears with permission.

2.  Organizational Structures.

The different levels of involvement can be divided into responsible and accountable levels. Enterprises should review levels of responsibility and accountability, consulted and informed, and update roles and organizational structures in the chart according to the enterprise’s context, priorities and terminology. Suggesting responsible and accountable roles only is different than in COBIT 5; COBIT 5 included consulted and informed. Since consulted and informed roles depends on organizational context and priorities, they are not included in the new COBIT guidance.

Portrait of a professional businessman standing in an office with colleagues in the background

BAI06, COBIT 2019 Framework, Governance and Management Objectives: 2018 ©Information Systems Audit and Control Association, Inc. (ISACA). Appears with permission.

3.  Information Flows and Items.

This governance component provides guidance on the information flows and items linked with process practices. Each practice includes inputs and outputs, with indications of origin and destination.

Two businesswomen working on line together with a laptop at office

BAI06, COBIT 2019 Framework, Governance and Management Objectives: 2018 ©Information Systems Audit and Control Association, Inc. (ISACA). Appears with permission.

4.  People, Skills and Competencies.

This component identifies human resources and skills required to achieve the governance or management objective.

BAI06, COBIT 2019 Framework, Governance and Management Objectives: 2018 ©Information Systems Audit and Control Association, Inc. (ISACA). Appears with permission.

5.  Culture and Behavior.

This component provides detailed guidance on desired cultural elements within the organization that support the achievement of a governance or management objective.

Two businesspersons walking together and talking

BAI06, COBIT 2019 Framework, Governance and Management Objectives: 2018 ©Information Systems Audit and Control Association, Inc. (ISACA). Appears with permission.

6.  Policies and Procedures.

This component provides detailed guidance on desired cultural elements within the organization that support the achievement of a governance or management objective.

BAI06, COBIT 2019 Framework, Governance and Management Objectives: 2018 ©Information Systems Audit and Control Association, Inc. (ISACA). Appears with permission.

7.  Services, Infrastructure and Applications.

This component provides detailed guidance on third-party services, types of infrastructure and categories of applications that can be applied to support the achievement of a governance or management objective. Guidance is generic (to avoid naming specific vendors or products).

Related guidance

For each governance component, COBIT 2019 identifies the applicable standards, frameworks and compliance requirements that can be referenced. It also includes detailed references where available. Related guidance is found under each of the applicable components – this is different from COBIT 5 where this was applied only at the process level.

Sound confusing? Maybe this short video will help you understand how COBIT 2019 displays each governance and management objective in the official publication:

Keep an eye out for more of my perspectives on the new COBIT 2019 framework in upcoming blogs. As always, your thoughts and perspectives are appreciated!

WHY AM I A HUGE FAN OF COBIT?

COBIT5 has been around for a couple of years now, so I should probably stop referring to it as the new release and simply call it the latest.  I was introduced to COBIT back in version 4.0, and have since been involved in several opportunities to use COBIT5.  There are many cool things about it, and it’s difficult to outline all of them in this post, but I wanted to share some thoughts on what I feel are the biggest hitters for me.  These observations are a culmination of many real-world experiences, all of which are unique to my journey, and I’m sure many of you have unique stories of your own.  In any case, I hope you gain something from reading my top ten reasons why I’m a COBIT fan.  And here they are…

1.    COBIT is relevant- the goal is to deliver value.
The enterprise exists to create value for its stakeholders.  This is simple in theory but tough in real life.  COBIT was created from the top down, meaning that the entire model focuses on the primary facets of providing value: realizing benefits, while optimizing risks and resources.  From the goals cascade to the enablers, COBIT helps you focus on value.  Now, I’ll admit that you really should understand the complete framework to realize its full benefits. While implementing portions of the framework certainly helps, it may not identify where your gaps exist.

2.    COBIT still focuses on information.  
If an enterprise doesn’t manage its information, it will no longer exist.  COBIT focuses on the information first, and that is the right way to look at it. Without information, there’s no need for the technology.

3.    COBIT is not just for the big companies.
COBIT has escaped the “for big companies only” misconception.  Whether you have a small IT organization, or several hundred resources, COBIT fits any size; you just need to identify your business goals, objectives and mission to operate as a going concern.  I’ve seen an organization with two IT staff members leverage COBIT.

4.    COBIT is a framework that looks beyond just processes.  
COBIT’s seven enablers are designed to help you get beyond just looking at processes.  These enablers include 1) Principles, Polices and Frameworks, 2) Processes, 3) Organizational Structures, 4) Culture, Ethics and Behavior, 5) Information, 6) Services, Infrastructure and Applications, and 7) People, Skills and Competencies.  These provide a more holistic approach to governance where changes in one enabler must be adequately assessed across all enablers.

5.    COBIT is a great reference for process owners.  
All processes should have owners.  I’ll even take that a step further and say that all processes should have assigned roles. Within COBIT5 there is a wealth of information regarding processes. There are 37 processes organized into five domains (one governance domain and 4 management domains).  Within this process reference model, the biggest hitters for me include:  process description and purpose, practices and activities, inputs and outputs, RACI charts, goals, and related industry standards and frameworks.

6.    COBIT has a goals cascade that is flexible and useable.
This is not just an academic reference, but a really helpful tool.  I’m often heard saying that this is one of the best kept secrets in our industry. To this day I am surprised that most people are not aware of its utility.  The goals cascade is a series of mappings that allow you to link stakeholder needs to enterprise goals, to IT related goals, and to enabler goals.  Once you’ve seen how this works, you will most certainly be hooked.

7.    COBIT has a product family that is consistent, like a single playbook.
One of the key principles of COBIT is to provide an integrated framework that is complete in enterprise coverage.   This provides a basis to integrate and align with the latest relevant standards and frameworks, as well as all knowledge previously dispersed over different ISACA frameworks. So what does this mean?  The COBIT product family is my starting point, and lets me know where to look for additional information.

8.    COBIT can be incorporated with other frameworks.
I often get challenged when I say that I’ve used COBIT as a “framework to manage my frameworks,” but this is a true statement, and it works.  Some of the most prominent I’ve seen include ISO38500, ISO31000, ISO27000, ISO20000, ITIL, PRINCE2, and CMMI.  Yes, you can use more than one framework in an enterprise, and COBIT helps you figure out how to do it.

9.    COBIT is the “middleware” between Governance, IT, and Assurance.
Hopefully you don’t take me literally here by using middleware, but let’s look at middleware’s purpose. It provides a link to exchange information between dissimilar systems. Now considering the gaps we see between Governance, IT and assurance, doesn’t this make sense?  Think of it as a common language that can finally bridge that gap.  I’ve used COBIT as a translator that can get us all thinking about the same enterprise goals.

10.       No more control objectives!
This doesn’t sit well with the folks who like the word control.  I’ll admit that when COBIT5 replaced the term, I was skeptical.  I’ve had a change of attitude about this.  COBIT now uses terms like Management Practices and Activities, and for good reason. Instead of controlling the technologies that manage your information, shouldn’t you be focusing more on the management practices?  I certainly think so, since they are the guidance necessary to achieve process goals.  If it really bothers you, can you still use the term control objective?  Sure.

Final thoughts on COBIT.

Whether you’re a board member, executive, auditor, or IT Operator, do yourself a favor and learn more about it.  Admittedly, many people find it difficult to simply thumb through the various publications and experience the “ah, I get it now” feeling.  My advice to anyone who wants to learn more about it is to go to the ISACA site (www.isaca.org) and download some of the key publications.  For starters, you should get the COBIT5 Framework, Enabling Processes, and Implementation guides.  Additionally, there are a lot of good resources on the site that might help you out, like COBIT Online and “ask the expert” sections of the site.

Having said all of these great things about COBIT, I want to emphasize that adopting a framework does not guarantee your governance success, but it sure does offer a great starting point.  COBIT offers a common language that can be shared across the enterprise, but real adoption requires executive support, a desire to improve, and a strong desire towards achieving the governance of enterprise IT.

Skip to content