Understanding the COBIT Framework: A Comprehensive Guide

In a global landscape littered with failed startup ventures, true progress can now be found in digital transformation -- cloud computing, automation, and shift-left cybersecurity.  

With COBIT 2019 leading the charge in business resilience, the question is: how can you get a piece of the action? 

Below, we show you how new updates in COBIT 2019 can help your organization achieve the kind of digital transformation that drives competitive advantage and increased profitability. 

What is COBIT? 

Definition and purpose of COBIT framework 

COBIT stands for Control Objectives for Information and Related Technologies. 

It’s an integrated framework that provides effective guidance for aligning IT goals and business objectives, fostering growth and innovation in digitized enterprises. 

So, is COBIT still used? 

The answer is yes. 

Currently, COBIT 2019 focuses on actionable strategies that ensure digital initiatives result in positive business outcomes. 

The COBIT framework also emphasizes two enablers of digital transformation: 

• Legal and regulatory compliance, which reduces the risks of costly violations that can derail transformation efforts and ultimately, business continuity 
• Efficient IT operations through streamlined IT processes and optimized IT resource allocation, ensuring digital transformation investments deliver maximum ROI

History of COBIT 

COBIT made its first debut on the world stage in 1996 with Version 1.0.  

Authored by ISACA (Information Systems Audit & Control Association), this first iteration of COBIT provided a set of 34 control objectives for managing corporate information systems. 

Then, in 1998, ISACA released COBIT 2.0, followed two years later by COBIT 3.0. 

For the first time, COBIT 3.0 saw the addition of management guidelines and maturity models to the framework. 

In 2005, ISACA released COBIT 4.0, which put IT governance on the map as an essential part of overall corporate governance. 

Version 4.1 came next in 2007. 

In 2012, ISACA launched COBIT 5.0 with great fanfare, positioning it as a holistic framework for addressing not only IT governance but also risk management and compliance. 

COBIT 5.0 incorporated COBIT 4.1, Val IT 2.0, Risk IT frameworks, ISACA’s IT Assurance Framework (ITAF), and the Business Model for Information Security (BMIS). 

Finally, COBIT 2019 (the latest version) made its appearance in 2018, providing new guidance on managing digital transformation through EGIT (enterprise governance of information and technology). 

The framework clearly distinguishes between governance and management objectives. It recommends establishing a Digital Business Transformation team led by top-level executives to ensure proper governance. 

Key principles of COBIT 

Compared to COBIT 5, COBIT 2019 places a stronger emphasis on EGIT in the following areas: 

• Flexibility and openness: The COBIT 2019 open architecture enables the adding or modifying of new focus areas without reworking the COBIT core model.
• Currency and relevance: COBIT 2019 supports alignment with concepts from the latest IT standards and compliance regulations.
• Design factors: COBIT 2019 introduces 11 new design factors that aid in the configuration of an effective enterprise governance system.
• Performance management: COBIT 2019 adopted the CMMI (Capability Maturity Model Integration) Performance Management Plan for measuring the maturity level of COBIT implementations, replacing the ISO/IEC scale used in COBIT 5.

At this point, we’re often asked, “What are the six principles of COBIT?” 

In answer, the COBIT 2019 framework is focused on six key principles: 

1. Each enterprise needs a governance system to satisfy stakeholder needs and to generate value from the use of information and technology (I&T). 

2. A governance system for enterprise I&T is built from diverse components that work together in a holistic way. 

3. A governance system should be dynamic, which will lead to a more viable and future-proof EGIT (enterprise governance of information & technology) system. 

4. A governance system should clearly distinguish between governance and management activities. 

5. A governance system should be tailored to the enterprise’s needs, using a set of design factors as parameters to customize the governance system components. 

6. A governance system should cover the entire enterprise landscape, focusing not only on the IT function but on all technology and information processing.

What Are the Key Components of COBIT? 

Organizing IT governance 

COBIT 2019 provides a structured approach to IT governance. It establishes clear roles and responsibilities so accountability for decisions is clear. 

Overall governance of enterprise information and technology is the responsibility of the board of directors. 

Meanwhile, the executive management team (CEO, CTO, and CIO) supports the board's goals by carrying out its initiatives. 

Reference model 

COBIT 2019 is an IT governance framework that includes reference models, control objectives, and maturity models as key components. 

The framework serves as a common language for communications between IT professionals, business executives, and regulators. Its reference models are standardized blueprints for optimizing IT processes.  

In COBIT 2019, the Core Model (previously known as the Process Reference Model in COBIT 5) consists of 40 core governance and management objectives. 

Control objectives 

A popular question we’re often asked is, “What does the COBIT framework actually do?” or “How does the COBIT framework support IT governance?” 

In COBIT 2019, domains and control objectives form an integral part of its structure.  

Here's how it works: The framework organizes its processes into five domains: 

• Evaluate, Direct and Monitor (EDM): The governing body (Board of Directors) evaluates strategic options for optimizing business processes and IT environments. Then, it directs and monitors the implementation of those options by senior management.
• Align, Plan and Organize (APO) focuses on structuring and optimizing the use of IT systems.
• Build, Acquire and Implement (BAI) focuses on acquiring the right IT solutions and integrating them in business processes.
• Deliver, Service and Support (DSS) addresses the operational delivery and support of I&T services. 
• Monitor, Evaluate and Assess (MEA) addresses the conformance of I&T with performance and compliance targets. 

Each domain contains multiple processes, and each process has associated IT control objectives. 

By implementing the control objectives, you’ll enhance your organization’s security posture, ensure regulatory compliance, and achieve high levels of digital trust. 

Maturity models 

While reference models define what should be done to optimize EGIT, maturity models assess how well it’s being done. 

COBIT 2019 incorporates maturity models that allow your organization to identify performance gaps and track improvements over time. 

In 2023, ISACA updated its CMMI (Capability Maturity Model Integration) with three new domains: 

• Data Management
• People Management
• Virtual Work

The CMMI 3.0 Practice Area, Enabling Virtual Work (EVW), falls under the Virtual Work domain. Meanwhile, another new CMMI Practice Area, Workforce Empowerment (WE), falls under the People Management domain. 

Both EVW and WE promote digital transformation and business continuity. Workforce Empowerment (WE) encourages continuous learning and employee engagement, critical factors in driving digital transformation.  

Meanwhile, Enabling Virtual Work (EVW) allows for flexible workspaces, promoting business continuity during disruptions. Together, EVW and WE facilitate a cultural shift towards more resilient, digitized enterprises. 

Key components that support an effective IT governance & management framework 

At its heart, COBIT 2019 defines seven components or enablers of an effective EGIT (enterprise governance of information and technology) program: 

• Processes*
• Organizational structures
• Policies and procedures
• People, skills, and competencies
• Culture, ethics, and behavior
• Information flows
• Services, infrastructure, and applications

As seen from our discussion, COBIT 2019 is a significant improvement on COBIT 5’s management framework, with guidelines for resource optimization, business continuity, regulatory compliance, innovation, and digital transformation. 

In COBIT 5, each process comes with a detailed process description. The process description highlights what the process does and how it accomplishes its purpose. 

Benefits of Implementing the COBIT Framework 

Enhanced IT governance and decision-making 

The European Network of Transmission System Operators for Electricity (ENTSO-E) represents 42 electric transmission system operators (TSO) from 35 EU countries. 

At its heart, ENTSO-E promotes technical collaboration between TSOs to support the EU’s energy policies. 

The organization was already using ITIL for IT service management (ITSM) and ISO 27002:2013 for information security management. In 2014, it adopted COBIT 5.  

The result? ENTSO-E found its IT team could better support TSO members in boosting operational efficiency, increasing staff productivity, and building more customer-centric cultures. 

Ultimately, COBIT 5 enabled better risk management, resource optimization, and performance measurement, leading to more informed decision-making in support of business goals. 

Improved alignment of IT with business objectives 

If you’re looking for another example of how COBIT aligns IT governance with business objectives and enterprise risk management, you’ll appreciate the story of Dubai Custom’s successes. 

A little backstory: Dubai Customs has been in the business of fair trade for more than 100 years. 

The department is responsible for collecting customs revenues, tackling intellectual property (IP) theft, and ensuring trade practices align with global standards.  

Over the years, Dubai Customs has relied on a collection of frameworks to support its goals, such as ITIL (Information Technology Infrastructure Library), ISO 2000, ISO 27000, and TOGAF (The Open Group Architecture Framework). 

As time progressed, however, department officials felt an integrated framework was needed, especially one that incorporated key standards for IT governance and risk management. 

They settled on COBIT 5 in 2016. 

A key milestone was their implementation of the COBIT 5 goals cascade, which aligns stakeholder needs (benefits realization, risk management, and resource optimization) with enterprise and IT goals.  

Ultimately, the adoption of COBIT 5 led to increased revenues, improved service quality, and greater operational efficiency – cementing the department’s global reputation for excellence. 

This same story can be yours -- read on to find out how. 

Increased transparency and accountability in IT processes 

It’s 2024: do you know what your AI is doing? 

Questions about transparency, fairness, and accountability are being raised as AI becomes more entrenched in the business landscape – and for good reason. 

When Google’s Gemini chatbot depicted images with historical inaccuracies in early 2024, the tech giant faced a tidal wave of criticism on social media platforms. The issue has since been fixed, but questions about fairness and accuracy remain. 

This is where COBIT comes in. The framework emphasizes aligning IT objectives, which includes AI-based projects, with business requirements. This alignment promotes transparency by ensuring AI developments and deployments align with your business decisions and society’s broader vision of digital trust. 

COBIT 2019 can also be integrated with standards like ISO 27001 for a more transparent and accountable IT governance structure. 

How to Implement COBIT for Maximum Enterprise Value 

Steps to effectively implement COBIT framework 

Ready to implement COBIT 2019?  

Here’s a high-level overview of the seven phases of the COBIT implementation approach: 

1. What are the drivers for COBIT implementation?
2. Where are we now?
3. Where do we want to be?
4. What needs to be done?
5. How do we get there?
6. Did we get there?
7. How do we keep the momentum going?

Ultimately, these five easy steps, distilled from the COBIT 2019 Implementation Guide, can further guide your implementation efforts.  

• Identify stakeholder needs, such as business continuity and digital transformation, and get buy-in from executive management.
• Identify enterprise goals from COBIT’s goals cascade, determine alignment goals, and choose design factors to customize implementation.
• Allocate resources, set timelines, and begin with pilot projects to test the framework's implementation before making organization-wide changes.
• Track key metrics and key performance indicators to assess the effectiveness of your efforts.
• Make necessary adjustments based on employee feedback and results.

Best practices for optimizing enterprise governance of information and technology (EGIT) 

Below are four (4) of our best practices for optimizing EGIT: 

1. Implement the NIST cybersecurity framework CSF) with COBIT 2019. The combination covers the five key functions of the NIST CSF (Identify, Protect, Detect, Respond, Recover) while providing the governance and management structure of COBIT. It brings value to consumers and partners by shining a spotlight on IT risks that endanger data security and business continuity.

2. Establish a culture with strong values that support EGIT. Culture, ethics, and behavior are often underestimated as driving forces for optimizing technology and information governance. In a dynamic business landscape, speed is critical in achieving business resilience. This can include investing in automation to enable rapid responses to customer concerns or leveraging AI-based analytics to interpret consumer needs.

3. Choose the most relevant COBIT 2019 enterprise goals for optimizing EGIT (enterprise governance of information & technology) in your organization. For example, you’ll choose the metrics below in evaluating your compliance performance: 

• Cost of regulatory noncompliance, including settlements and fines 
• Number of regulatory noncompliance issues causing public comments or negative publicity 
• Number of noncompliance incidents noted by regulators or supervisory authorities 
• Number of regulatory noncompliance issues relating to contractual agreements with business partners 

        For business continuity, the following metrics might be helpful:  

• Number of customer service or business process interruptions causing significant incidents 
• Business cost of incidents 
• Number of business processing hours lost due to unplanned service interruptions 
• Percent of complaints as a function of committed service availability targets

4. Leverage automation. This is by far the easiest and most effective way to achieve business resilience and digital transformation. For example, automated tools can be used to conduct initial risk assessments, identify gaps, and establish a baseline for COBIT implementation. You can also use compliance management software to automate various COBIT processes such as real-time monitoring of compliance status, tracking of regulatory changes, and streamlining of audit and documentation procedures.

Aligning COBIT with organizational goals and objectives 

Here are our four best tips for aligning COBIT with organizational goals: 

• Use COBIT’s goals cascade to align IT and enterprise goals.
• Conduct a cost-benefit analysis to ensure resource allocation supports IT initiatives that provide business value.
• Establish open communication channels between IT, management, and marketing teams. Ensure your business managers are working closely with the CIO to determine how best to exploit new technologies (such as AI and ML) to support business transformation efforts.
• Include IT risk management as part of your overall enterprise risk optimization program. With risk optimization, you avoid “bad” risks and take on “good” risks with a positive ROI outlook. 

COBIT uses capability levels to assess how well your organization’s IT strategy is supporting its business objectives. The six capability levels (0-5) are progressive in nature, increasing IT-business alignment as your organization moves up the levels. 

COBIT Certification and Training 

Overview of COBIT certification programs 

Currently, there are four types of COBIT certification programs. They are: 

1. COBIT 5, which consists of COBIT 5 Foundation, COBIT 5 Implementation, COBIT 5 Assessor, & Implementing the NIST Cybersecurity Framework Using COBIT 5

2. COBIT Design and Implementation, where you and your employees learn how to design and implement an effective IT governance system and run governance improvement programs

3. COBIT Foundation, where you or your employees gain a more in-depth understanding of the COBIT 2019 Framework. This certification affirms you have the necessary skills to establish, improve, and maintain a system for effective governance and management of enterprise information technology.

4. Implementing the NIST Cybersecurity Framework Using COBIT 2019, which is intended for those with in-depth knowledge of the framework and foundational understanding of cybersecurity concepts. Here, you or your employees learn how to effectively combine cybersecurity standards and Enterprise Governance of Information & Technology (EGIT). 

Benefits of becoming a certified COBIT professional 

Having COBIT certified professionals on staff comes with several key benefits. They include: 

• Industry credibility: Having COBIT certified professionals on staff shows your organization’s commitment to complying with recognized industry standards for IT governance. This gives regulators, vendors, partners, and consumers greater confidence in the quality and reliability of your organization’s IT practices.
• Digital transformation support: COBIT certified professionals are equipped to deploy the latest cybersecurity measures to satisfy modern consumer demands for data privacy and security.
• Improved stakeholder communication: COBIT certified professionals can better communicate IT concepts and issues, promoting better decision-making at the executive level.
• Better resource optimization: With COBIT certification, your employees know how to optimize IT resources, which can lead to cost savings and improved service deliverability.
• Enhanced risk management: COBIT certified professionals are equipped with the skills to effectively mitigate IT-related risks. This can protect your business from data breaches and their consequences: reputational damage, lost revenues, & fines for non-compliance with legal and regulatory requirements.

Recommended training resources for COBIT exam preparation 

Considering COBIT certifications for your employees? If so, the following resources can help.  

• Official ISACA COBIT certification training
• COBIT publications, which now include COBIT 2019 for Small and Medium Enterprises and three Focus Areas: DevOps Using COBIT 2019, Information and Technology Risk, and Information Security **
• Training provided by APMG accredited providers. APMG International is a global accreditation institute that offers certification courses such as COBIT. If you’re looking for COBIT 2019 training, be sure to reference APMG’s list of training providers. You can also book an exam when you’re ready.
• Online training platforms like Simplilearn, which offer a COBIT 2019 online bootcamp with virtual labs for tackling real-world scenarios. Simplilearn COBIT classes are taught by experts who continue to be active in their field.
• Self-study materials such as practice exams from learning platforms like Udemy and Test Prep Training. ***

**Key industry-related COBIT training publications are free with ISACA membership** 

***practice exams from non-ISACA sources aren’t explicitly endorsed by ISACA but may boost learning in preparation for the official exam. *** 

COBIT vs. Other IT Governance Frameworks 

Comparison of COBIT with ITIL and NIST 

You may be familiar with NIST, but what is ITIL? More importantly, is COBIT the same as ITIL?  

The short answer is no. 

Below, we compare COBIT with both ITIL and NIST in terms of purpose, focus, and target audience. 

Purpose:  

• COBIT provides comprehensive guidance for aligning IT goals with business objectives. The financial sector was an early adopter of COBIT, using it to achieve compliance with the Sarbanes-Oxley Act. However, more industries are implementing it as a versatile enterprise IT governance and management framework.
• ITIL defines best practices for IT service management.
• NIST standards prioritize the building of digital trust and stronger security cultures across industries.

Focus: 

• Of all three, COBIT has the broadest approach, covering governance and management across the entire IT landscape
• ITIL specifically emphasizes IT service management.
• NIST has a narrower focus, providing guidance for cybersecurity and risk management.

  Target Audience:  

• COBIT’s audience is (1) internal stakeholders: IT managers, developers, C-suite executives, business managers, governance, risk, & compliance (GRC) managers, and IT quality control professionals (2): external stakeholders: partners, vendors, and regulators. 
• ITIL is primarily used by IT service management professionals.
• NIST is used by organizations of all sizes across industries. 

Key differentiators and strengths of COBIT 

There are several differentiators and strengths that set COBIT apart from ITIL and NIST: 

Broad, holistic approach: Like NIST, COBIT integrates multiple frameworks. However, COBIT’s specific focus is IT governance, risk management, and compliance. In contrast, ITIL’s primary focus is IT service management, while NIST prioritizes cybersecurity risk management.  

That said, it’s now possible to map NIST CSF 2.0 functions with the corresponding governance and management objectives of COBIT 2019. What this does is ensure your organization’s cybersecurity controls are aligned with both business objectives and risk tolerance levels. 

Flexibility: With COBIT 2019, you get design factors and focus areas to customize a governance system that fits your unique business needs. 

Risk management focus: COBIT places a stronger emphasis on risk mitigation than ITIL. 

Clear distinction between governance and management: COBIT is the only one of the three that explicitly separates the governance and management of information and technology.  

Choosing the right framework for your organization's needs 

To choose the right framework for your business needs, consider these factors: 

1. Business goals: If both cybersecurity & IT governance and management are top business priorities, you may want to combine COBIT 2019 and the NIST Cybersecurity Framework 2.0. On its own, COBIT is best for organizations with silos across various IT departments, as it can unify standards like ITIL, ISO/IEC 2000, TOGAF, and CMMI under a single framework.

2. Industry-specific requirements: If your organization is a government agency or critical infrastructure entity, you’ll want to choose NIST CSF 2.0 and COBIT 2019.

On the other hand, if service delivery and support are key priorities, ITIL should be part of your management toolkit. ITIL Version 4 (the latest iteration of ITIL) now aligns with Lean, Agile, and DevOps principles.  

This means value creation for your customers through waste minimization, adaptability, iterative progress, automation, and continuous delivery. With ITIL, you achieve faster, more impactful service delivery that satisfies evolving consumer demands. 

3. Scalability: NIST CSF 2.0, ITIL4, and COBIT 2019 are all highly scalable. However, full implementation can be resource intensive, requiring specialized knowledge, continuous monitoring, and buy-in from executive leadership, vendors, customers, and employees. 

Integrating COBIT with LastPass for Enhanced Security 

How LastPass complements COBIT 

LastPass perfectly complements COBIT 2019 in the areas of information security, access management, and risk management. 

• Information security: With our Password Generator, you and your employees get strong, secure passwords -- the kind recommended by NIST -- at the snap of your fingers. According to Keeper Security, 95% of IT leaders admit cyberattacks are becoming more sophisticated, with AI-based password-related attacks among the top threat vectors. Thus, secure password management is your first line of defense against these types of attacks. With LastPass, you get both secure password generation and storage in our military-grade vaults.
• Access management: Strong privileged access controls complement secure password generation and storage. Together with COBIT 2019’s focus on information security, LastPass strengthens your security posture and offers you another layer of defense against credential-based attacks.
• Risk management: With robust cryptographic protections, LastPass reduces your risks of an expensive breach, aligning with COBIT’s risk management guidance on securing critical assets and data in transit.

Benefits of integrating LastPass with COBIT 

You get four key benefits when you integrate LastPass with COBIT: 

• Enhanced security posture: LastPass helps your organization comply with COBIT’s information security standards and achieve high levels of digital trust. 

A new 2024 study by ISACA (the creator of COBIT) shows 78% of respondents agree digital trust is important to digital transformation but only 52% see their organization as digitally trustworthy.  

With LastPass, you get secure password sharing, credential monitoring, and role-based access control, complying with COBIT’s new emphasis on information security and risk management . The result? Effortless digital trust and business resilience. 

• Increased efficiency: Automating password management reduces IT admin duties and improves workforce productivity, supporting COBIT’s focus on operational excellence. 

Your IT team will receive fewer password reset requests, freeing them to tackle higher-value business tasks. And with our secure autofill capabilities and passwordless authentication choices, your employees can say goodbye to passwords forever. 

• Clear audit trails: With LastPass, you get strong reporting features, which are crucial for demonstrating compliance during formal audits.
• Improved compliance: Whether your organization complies with NIST, COBIT, HIPAA, GDPR, HITRUST, or NERC-CIP standards, LastPass helps you meet regulatory requirements for password complexity and storage.

Step-by-step guide to implementing LastPass within COBIT 

Ready to see how LastPass can work with COBIT 2019 to deliver all the gains discussed in this article? This easy step-by-step guide makes implementing LastPass within COBIT a breeze: 

1. Assess your organization’s information security and risk management posture: Evaluate your current password practices and identify gaps in security and compliance.

2. Determine the key milestones of your project: Each milestone should be specific, measurable, achievable, relevant, and time-bound (SMART). Milestones will help you assess your success in aligning your IT and business objectives.

3. Establish clear communication channels: Determine how you’ll communicate with your staff, IT teams, and executive leadership. Will you have regular progress reports and updates?  

4. Define your business objectives: Decide what your access control goals are. Will it include secure password creation, storage, and sharing? Next, decide how that aligns with COBIT objectives for information security.

5. Allocate resources: Determine how much you’ll spend and which staff members you’ll task with implementing LastPass within COBIT. 

6. Sign up for a free, no-obligation trial of LastPass Business. Next, use this easy step-by-step guide on setting up and using LastPass.

7. Use LastPass to enforce new password policies: Implement new policies for password creation, storage, and sharing based on LastPass features and COBIT guidelines. Start with the highest-risk departments first. If you use an identity provider like Microsoft Active Directory, integrate it with LastPass to further comply with COBIT’s guidelines on access control and data protection.

8. Implement continuous improvement: Use insights from your LastPass logs to refine your access policies, in line with COBIT’s focus on continuous improvement.

With LastPass and COBIT at your side, you’ll enjoy greater operational efficiency, optimized resource allocation, improved risk management, agility -- and more importantly -- the trust of your partners, vendors, and customers. Don’t wait to get started today: Sign up for a free, no-obligation LastPass Business trial on us.