In my last post I identified the 5 Domains of IT Governance and discussed how the insertion of relevant components of these domains into the enterprise is necessary to ensure effective IT governance. While it is useful to understand these domains and their importance to the business, the ability to actually identify and implement IT governance using this framework can be a complex and overwhelming undertaking. The answer to this problem may however be found in a framework first released in 1996 which has been gaining much popularity and momentum in recent years. This framework is called the “Control Objectives for Information and Related Technology”, though commonly is simply referred to as COBIT. But what exactly is COBIT and why should you care?
COBIT and its recent version 5 release is a comprehensive framework that, put simply, has been designed to help realize the alignment of the enterprise with IT and to assist organizations with meeting planned business objectives. COBIT identifies how organizations can optimize value from IT through a balance of Benefits Realization, Risk Optimization and Resource Optimization. This is achieved through the use of 5 key principles designed to be applied to organizations of all types and sizes:
Notably, COBIT should not be seen as an alternative to the popular Information Technology Infrastructure Library (ITIL) or other common standards and best practices. COBIT instead should be seen as complimentary as it attempts to be the bridge between all of these resources by providing information and direction on “what” needs to be done and the interactions of the various components. In contrast, ITIL provides the more detailed information for best practices on ‘how’ to design and implement the required solution. The below table helps show the depth and usefulness of COBIT 5 as a single go to point through its unification of standards and frameworks into a single holistic model.
Figure 1 – COBIT 5 Coverage of Other Standards and Frameworks
In its most simplistic form the 37 enabling processes identified by COBIT can be used to identify IT gaps and opportunities within the enterprise and provide invaluable insight and direction for their remediation/implementation. The COBIT framework can however be extended much further than this. Most notably COBIT has recently released a “Goals Cascade” intended to provide an effective means for ensuring alignment of IT with the business; commonly seen as one of the most prevalent and costly issues in the industry today. Through the use of capability and maturity assessments, COBIT can also provide you with the means to realize your continual improvement objectives – another common headache for many organizations. COBIT has also been heavily used for years by IT auditors as well as IT security and risk professional and as such should be considered default reading for anyone responsible or exposed to these areas of IT.
The full purpose and use of COBIT 5 is however not something that can be easily captured in a single blog entry. To get started with COBIT I would suggest downloading the ‘COBIT 5 – A Business Framework Manual for the Governance and Management of Enterprise IT’ from www.ISACA.org. This is a free resource which will provide an initial overview of the framework, how it is used and all the potential benefits it offers. The ‘Enabling Processes’ book, which maps out all 37 COBIT processes, can be purchased for a small fee for non-ISACA members and should be your next point of focus. It is also advisable to consider becoming an ISACA member, as this provides you with free or reduced cost downloads to much of the COBIT material as well as an abundance of other IT governance, risk, compliance and security related information and benefits (reduced pricing, monthly newsletter, chapter membership, etc.). COBIT 5 foundation courses are also becoming increasingly popular and should also be considered by anyone wanting to understand more about COBIT and how it can be applied to realize effective IT governance.
ISACA (2012) COBIT 5: A Business Framework for the Governance and Management of Enterprise IT, Illinois: ISACA Publishing