Control Objectives for Information and Related Technologies (COBIT)
July 17, 2023
Introduction to Governance standards
COBIT, as the acronym for Control Objectives for Information and Related Technologies, is a framework for the governance and management of enterprise information and technology, aimed at the whole enterprise. Enterprise I&T means all the technology and information processing the enterprise puts in place to achieve its goals, regardless of where this happens in the enterprise. In other words, enterprise I&T is not limited to the IT department of an organization but certainly includes it.
The COBIT framework makes a clear distinction between governance and management. These two disciplines encompass different activities, require different organizational structures, and serve different purposes.
Governance ensures that:
Stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives.
Direction is set through prioritization and decision making.
Performance and compliance are monitored against agreed-on direction and objectives
In most enterprises, governance is the responsibility of the board of directors, under the leadership of the chairperson. Management plans, builds, runs, and monitors activities, in alignment with the direction set by the governance body (the board of directors), to achieve enterprise objectives. In most enterprises, management is the responsibility of the executive management under the leadership of the chief executive officer (CEO).
What COBIT is NOT
COBIT is not a full description of the whole IT environment of an enterprise.
COBIT is not a framework to organize business processes.
COBIT is not an IT-technical framework to manage all technology.
COBIT does not make or prescribe any IT-related decisions. It will not decide what the best IT strategy is, what the best architecture is, or how much IT can or should cost. Rather, COBIT defines all the components that describe which decisions should be taken, and how and by whom they should be taken.
Fundamentally, EGIT is concerned with value delivery from digital transformation and the mitigation of business risk that results from digital transformation. More specifically, three main outcomes can be expected after successful adoption of EGIT:
Benefits realization—This consists of creating value for the enterprise through I&T, maintaining and increasing value derived from existing I&T investments, and eliminating IT initiatives and assets that are not creating sufficient value. The basic principle of I&T value is delivery of fit-for- purpose services and solutions, on time and within budget, that generate the intended financial and nonfinancial benefits. The value that I&T delivers should be aligned directly with the values on which the business is focused. IT value should also be measured in a way that shows the impact and contributions of IT-enabled investments in the value creation process of the enterprise.
Risk optimization—This entails addressing the business risk associated with the use, ownership, operation, involvement, influence, and adoption of I&T within an enterprise. I&T-related business risk consists of I&T-related events that could potentially impact the business. While value delivery focuses on the creation of value, risk management focuses on the preservation of value. The management of I&T-related risk should be integrated within the enterprise risk management approach to ensure a focus on IT by the enterprise. It should also be measured in a way that shows the impact and contributions of optimizing I&T- related business risk on preserving value.
Resource optimization—This ensures that the appropriate capabilities are in place to execute the strategic plan and sufficient, appropriate, and effective resources are provided. Resource optimization ensures that an integrated, economical IT infrastructure is provided, innovative technology is introduced as required by the business, and obsolete systems are updated or replaced. Because it recognizes the importance of people, in addition to hardware and software, it focuses on providing training, promoting retention, and ensuring competence of key IT personnel. A valuable resource is data and information, and exploiting data and information to gain optimal value is another key element of resource optimization.
Each enterprise needs a governance system to satisfy stakeholder needs and to generate value from the use of I&T. Value reflects a balance among benefits, risk and resources, and enterprises need an actionable strategy and governance system to realize this value.
A governance system for enterprise I&T is built from several components that can be of diverse types and that work together in a holistic way.
A governance system should be dynamic. This means that each time one or more of the design factors are changed (e.g., a change in strategy or technology), the impact of these changes on the EGIT system must be considered. A dynamic view of EGIT will lead toward a viable and future proof EGIT system.
A governance system should clearly distinguish between governance and management activities and structures.
A governance system should be tailored to the enterprise’s needs, using a set of design factors as parameters to customize and prioritize the governance system components.
A governance system should cover the enterprise end to end, focusing not only on the IT function but on all technology and information processing the enterprise puts in place to achieve its goals, regardless of where the processing is in the enterprise.
A governance framework should be based on a conceptual model, identifying the key components and relationships among components, to maximize consistency and allow automation.
A governance framework should be open and flexible. It should allow the addition of updated content and the ability to address contemporary issues in the most flexible way, while maintaining integrity and consistency.
A governance framework should align to relevant major related standards, frameworks, and regulations.
For information and technology to contribute to enterprise goals, several governance and management objectives should be achieved. Basic concepts relating to governance and management objectives are:
A governance or management objective always relates to one process (with an identical or similar name) and a series of related components of other types to help achieve the objective.
A governance objective relates to a governance process, while a management objective relates to a management process. Boards and executive management are typically accountable for governance processes, while management processes are the domain of senior and middle management.
The governance and management objectives in COBIT are grouped into five domains. The domains have names with verbs that express the key purpose and areas of activity of the objective contained in them:
Governance objectives are grouped in the Evaluate, Direct and Monitor (EDM) domain. In this domain, the governing body evaluates strategic options, directs senior management on the chosen strategic options and monitors the achievement of the strategy.
Management objectives are grouped in four domains:
Align, Plan and Organize (APO) addresses the overall organization, strategy and supporting activities for I&T.
Build, Acquire and Implement (BAI) treats the definition, acquisition and implementation of I&T solutions and their integration in business processes.
Deliver, Service and Support (DSS) addresses the operational delivery and support of I&T services, including security.
Monitor, Evaluate and Assess (MEA) addresses performance monitoring and conformance of I&T with internal performance targets, internal control objectives and external requirements.
Components are factors that, individually and collectively, contribute to the good operations of the enterprise’s governance system over I&T.
Components interact with each other, resulting in a holistic governance system for I&T.
Components can be of several types. The most familiar are processes. However, components of a governance system also include organizational structures; policies and procedures; information items; culture and behavior; skills and competencies; and services, infrastructure, and applications.
Processes describe an organized set of practices and activities to achieve certain objectives and produce a set of outputs that support achievement of overall IT-related goals.
Organizational structures are the key decision-making entities in an enterprise.
Principles, policies, and frameworks translate desired behavior into practical guidance for day-to-day management.
Information is pervasive throughout any organization and includes all information produced and used by the enterprise. COBIT focuses on information required for the effective functioning of the governance system of the enterprise.
Culture, ethics, and behavior of individuals and of the enterprise are often underestimated as factors in the success of governance and management activities.
People, skills, and competencies are required for good decisions, execution of corrective action and successful completion of all activities.
Services, infrastructure, and applications include the infrastructure, technology and applications that provide the enterprise with the governance system for I&T processing.
Capability Levels for Processes
COBIT® 2019 supports a CMMI-based process capability scheme. The process within each governance and management objective can operate at various capability levels, ranging from 0 to 5. The capability level is a measure of how well a process is implemented and performed.
Brickendon may start using the COBIT standardised framework to unify documentation.
Brickendon may provide COBIT as auditing standard, ensuring the clients receive the well-recognised, standardised documentation repository to support our clients with added value.
It may employ consultants with COBIT certification to add capacity for the company or start building the required knowledge base within Brickendon Practises.
Let us help you prepare for the coming changes
Explore the latest Insights from Brickendon and ensure that your organisation is prepared.
