This article provides an overview and  summary of COBIT 5 and why it would be used by an organisation.

COBIT stands for Control Objectives for Information and Related Technology. It is a framework created by the ISACA (Information Systems Audit and Control Association) for IT governance and management. COBIT is a supportive tool for IT managers and bridges the crucial gap between technical issues, organisation risks and control requirements. Organisation managers are equipped with a model to deliver value to the organisation and practice better risk management practices associated with the IT processes. COBIT is a control framework that delivers the integrity of the information systems. COBIT is used globally by many organisations and IT managers responsible for the IT organisation processes. It is a recognised framework that can be applied to any organisation across all industry sectors. Overall, COBIT ensures quality, control, compliance and reliability of information systems in organisation, which is crucial aspect of every modern organisation.

The COBIT organisation orientation includes linking organisation goals with its IT infrastructure by providing various maturity models and metrics that measure the achievement while identifying associated organisation responsibilities of IT processes. COBIT has a high position in IT frameworks and has been harmonized by several successful organisations. It has been recognised under various international standards including ITIL, CMMI, COSO ERM, PRINCE2, TOGAF, PMBOK, TOGAF and ISO 27001/2. COBIT basically acts as an overarching integrator by merging multitude of IT frameworks, standards and best practices under one umbrella.

COBIT is currently in version 5 that was released in 2012 and consolidates the principles of COBIT 4.1, Risk IT Frameworks and Val IT 2.0. COBIT 5 draws reference form IT Assurance Framework (ITAF) from ISACA and the revered BMIS (Organisation Model for Information Security).

The various components of COBIT 5 include:

  1. Framework – IT helps organising the objectives of IT governance and bringing in the best practices in IT processes and domains, while linking organisation requirements.
  2. Process Descriptions – It is a reference model and also acts as a common language for every individual of the organisation. The process descriptions include planning, building, running and monitoring of all IT processes.
  3. Control Objectives – This provides a complete list of requirements that have been considered by the management for effective IT organisation control.
  4. Maturity Models – Accesses the maturity and the capability of every process while addressing the gaps.
  5. Management Guidelines – Helps in better assigning responsibilities, measuring performances, agreeing on common objectives and improved interrelationships with every other process.

COBIT 5 is being widely used by all major organisations whose primary responsibilities happen to be organisation processes and related technologies. COBIT 5 is also widely used by both the government and private commercial organisations. COBIT 5 is also used by major regulatory and compliance bodies in major economies and is aligned with key GRC frameworks, such as, Sarbanes Oxley (SOX 404) and COSO ERM (Enterprise Risk Management).

COBIT 5 encourages organisations to govern and manage information in a most holistic and integrated manner. The guiding principles of COBIT 5 include:

  1. Meeting the needs of stakeholders.
  2. Covering the whole enterprise from end to end.
  3. Application of a single integrated framework.
  4. Ensuring a holistic approach to organisation decision making.
  5. Separating the governance from the management.

As the modern economies and industries shift towards an environment of several emerging technologies, including Digital, Consumerisation, Cloud Computing, Social Media, Big Data and Mobility, information and IT is easily the new currency. Technology ensures massive volumes of information can be easily supported and managed. This raises the success rate of organisations, but at the same time raises other challenging and complex management and governance concerns for the security professionals, enterprise leaders, and governance specialists. Modern organisations demand robust governance, risk and compliance management and COBIT 5 is the best solution.

COBIT 5 processes are split into governance and management categories. These 2 categories contain a total of 5 domains and 37 processes:

  1. Governance of Enterprise IT
    Evaluate, Direct and Monitor (EDM) – 5 processes
  2. Management of Enterprise IT
    Align, Plan and Organise (APO) – 13 processes
    Build, Acquire and Implement (BAI) – 10 processes
    Deliver, Service and Support (DSS) – 6 processes
    Monitor, Evaluate and Assess (MEA) – 3 processes

More details can be found in the individual articles, which provide further drill down on the individual domains and processes.

For more information please contact Morland-Austin at