COBIT
Overview
COBIT (Control Objectives for Information and Related Technologies) is an IT governance and management framework developed by ISACA. First published in 1996, it provides a comprehensive framework for creating, maintaining, and improving enterprise IT governance.
COBIT is distinct from pure security frameworks because it addresses the entire enterprise IT landscape — governance, risk, compliance, operations, and strategy alignment. It is particularly valued by large enterprises and auditors.
COBIT 2019 Structure
COBIT 2019 is built on 6 governance objectives, 5 enabling processes, and 40 management objectives:
Governance vs. Management
| Governance (Board/Executive) | Management (Leadership/Staff) |
|---|---|
| EDM01 Ensure governance framework setting and maintenance | APO00 Manage IT management framework |
| EDM02 Ensure benefits delivery | APO01 Manage governance |
| EDM03 Ensure risk optimization | APO02 Manage strategy |
| EDM04 Ensure resource optimization | APO03 Manage architecture |
| EDM05 Ensure stakeholder engagement | APO04 Manage innovation |
| EDM06 Ensure compliance | APO05 Manage portfolio |
| APO06 Manage budgeting | |
| APO07 Manage human resources | |
| APO08 Manage relationships | |
| APO09 Manage procurement | |
| APO10 Manage change | |
| APO11 Manage risk | |
| APO12 Manage security | |
| BAI01 Manage programs | |
| BAI02 Manage requirements | |
| BAI03 Manage solutions | |
| BAI04 Manage availability | |
| BAI05 Manage integration | |
| BAI06 Manage change | |
| BAI07 Manage assets | |
| BAI08 Manage configuration | |
| DSS01 Manage operations | |
| DSS02 Manage security services | |
| DSS03 Manage business process controls | |
| DSS04 Manage continuity | |
| DSS05 Manage incidents | |
| DSS06 Manage audits | |
| DSS07 Manage security events | |
| MEA01 Monitor, evaluate, assess performance | |
| MEA02 Monitor, evaluate, assess compliance | |
| MEA03 Monitor, evaluate, assess conformance |
Design Factors
COBIT 2019 introduces design factors that customize the framework to enterprise context:
- Enterprise strategy, size, threat landscape, compliance requirements, IT engagement model, sourcing decisions, industry benchmarks, security requirements, risk appetite, performance management, and internal control standards.
Key Concepts
- End-to-end enterprise coverage — from strategy to operations
- Goals cascade — links enterprise goals to IT-related goals to enabler goals
- Maturity model — capability assessment from 0 (incomplete) to 5 (optimized)
- Process reference model — 40 management objectives across EDM, APO, BAI, DSS, MEA domains
Relationship to Other Frameworks
- ISO 27001 — COBIT provides governance context; ISO 27001 provides ISMS implementation
- ITIL — COBIT governs; ITIL guides IT service management
- NIST CSF — COBIT is broader (governance); NIST CSF is narrower (cybersecurity)
- technologies/security-frameworks/iso-27001.md | ISO 27001 — information security management
- technologies/security-frameworks/nist-csf.md | NIST Cybersecurity Framework — cybersecurity risk management