COBIT is one of the most widely used frameworks for IT governance. Among ITSM frameworks, COBIT is best known for aligning IT strategy with the overall business goals of the organization. Initially released in 1996, the framework has become popular among organizations for managing their IT risks, ensuring compliance, and keeping ITSM on track for achieving organizational goals.
With this article, we hope to introduce you to the COBIT framework. We’ll be talking about:
- COBIT and its components
- Similarities and differences between COBIT and ITIL
- COBIT maturity model
- Key benefits of the COBIT framework
Read on to know more about this popular IT governance framework.
What is COBIT?
COBIT, or Control Objectives for Information and related Technology, is a framework that was first released by the Information Systems Audit and Control Association (ISACA) in 1996. At first, the goal was to bring together the financial aspects of a business with its IT. The scope has evolved over time to bring the IT processes to be more in touch with the business goals of the organization.
ISACA has released updated versions of the framework over the years. One of the most popular versions, COBIT 5, was released in 2012 and brought in various aspects of COBIT 4.1, as well as other products from ISACA. COBIT 5 incorporated elements for information and data security governance into the framework.
COBIT 5 is based on five guiding principles:
- Meeting the needs of stakeholders.
- Covering the whole enterprise from end to end.
- Application of a single integrated framework.
- Ensuring a holistic approach to business decision making.
- Separating governance from management.
Let's take a closer look to each of them.
1. Meeting the needs of stakeholders
For all organizations, this is the main business goal. The idea is that all processes must be oriented towards achieving the goals of the stakeholders.
2. Covering the whole enterprise from end to end
By the time COBIT 5 was developed, most businesses had come to the conclusion that they needed a framework that didn't just cover IT, but the whole enterprise. Other frameworks like ITIL have followed a similar idea, expanding their scope to industries other than IT (which is why the IT Infrastructure Library became ITIL). And ISACA developed COBIT 5 with this thought process, to create a framework for the entire business.
3. Application of a single integrated framework
COBIT helps departments across an organization to have a single framework that is aligned with other standards like ITIL and ISO. COBIT 5 helps create organization-wide definitions for different terms and reduces ambiguity.
4. Ensuring a holistic approach to business decision making
COBIT 5 views the entire organization as a whole instead of disparate components or entities. The framework helps stakeholders make decisions and implement them across the organization using what COBIT refers to as "enablers."
Separating governance from management
According to COBIT 5, IT governance and management need different organizational structures and activities, and therefore keeps them separate.
In 2019, ISACA released the latest version named COBIT 2019, foregoing the earlier version number system. COBIT 2019 follows an open-source model, using inputs from governance experts and the community to release new updates.
What are the components of COBIT?
COBIT has a three-level structure connected to each other comprising business requirements, IT resources, and IT processes.
The COBIT framework uses five components to make use of the IT resources available to carry out the IT processes, which in turn helps meet the business requirements.
Regarding the three-level structure, business requirements consist of:
On the other hand, IT resources consist of:
- IT infrastructure
- IT applications
- Information and data
And lastly, IT processes consist of:
Now, it's time to dive into the five components of COBIT:
- Process descriptions
- Control objectives
- Management guidelines
- Maturity models
The framework is for organizations to categorize their IT governance objectives into different IT processes and domains. This is in turn linked to various business requirements of the organization.
The goal of this framework is to connect the decisions made by the executives and the stakeholders with the work carried out by the individual IT team members. It keeps the goals of the organization and the activities of the IT department in sync with each other.
2. Process descriptions
Process descriptions create a common language across the entire organization. They serve as a reference model for building different processes in the organization. They cover all aspects of IT processes, including planning, creating, running, and monitoring. It reduces confusion in the organization by creating consistent terminologies and process descriptions across the company.
3. Control objectives
As the name suggests, these components are used for controlling different IT processes. This is a complete set of high-level requirements the management has set for control of IT processes.
4. Management guidelines
Management guidelines are used to assign responsibilities for different processes and define how different processes are connected to each other. They are used for defining responsibilities for tasks, creating agreed-upon performance metrics, and suggesting how COBIT can work with other frameworks in the organization. Stakeholders use these for coming up with shared objectives.
5. Maturity models
Maturity models are used to measure the maturity and capabilities of different processes. The maturity model lets organizations assess the maturity of all the processes, activities, and domains in the COBIT implementation, on a scale of zero to five.
COBIT Vs ITIL
COBIT and ITIL are frameworks that are used to manage ITSM services within an organization. Both are highly popular and have evolved with time, and like other frameworks, these two also have borrowed elements from each other. The differences between the two frameworks mainly arise from their approaches towards ITSM, which in turn stems from why they were designed initially.
COBIT is more of a governance framework and takes more of a rule or control-based approach towards ITSM. The COBIT framework helps an organization to create well-defined controls and make sure that it is implemented throughout the organization.
These rules can be for compliance with other standards or industry regulations, or for achieving stakeholder objectives. And we can trace the origins of this approach to why COBIT was designed: to make it easier for financial auditors to manage the IT aspects of an organization.
The ITIL framework builds the ITSM strategy of an organization around different services that the client can request. The client in this case can be the departments in the organization or an external client whose ITSM the organization is managing.
The framework helps organizations build these services so as to meet the client requirements, and ensure clear communication between all the parties involved in every stage of service delivery.
The framework was originally designed by the UK government for standardizing IT management practices around government functions. Over time, ITIL has evolved by taking elements from DevOps and other practices.
While both frameworks have different approaches, they’re both trying to solve the same problem and have similar goals: to get the most out of the organization’s IT and help the organization reach its goals.
Both frameworks also try to develop a definitive language across different parties; ITIL tries to ensure clear goals and expectations between the service provider and the client, while the COBIT framework uses process descriptions to create a consistent language for different processes and activities.
What is the COBIT maturity model?
The COBIT maturity model is used to assess the progress of COBIT implementation in an organization and to gauge the capability of the organization in different processes.
COBIT 5 used PAM or Process Assessment Model with six capability levels. But in 2016, ISACA acquired CMMI (Capability Maturity Model Integration), a process appraisal program developed by Carnegie Mellon University. This was then used to build the COBIT 2019 maturity model.
Maturity levels for different processes, objectives, and domains are obtained from the score of the 1202 activities and their expected capability levels defined in the framework. COBIT has defined six capability levels for all processes; from level zero to level five.
At level zero, the process lacks any basic capability, and at level five, the process is well defined, it achieves its purpose, and continuous performance measurement and improvement is implemented.
The practice capability is usually measured by a simple average of the maturity levels of the activities. In some cases, when organizations and processes are more mature, a weighted average may be used to determine the capability.
The holistic nature of COBIT demands that the organization consider other factors along with the capability level to determine the score for the practice. The expected capability levels are also adjusted to the industry or organizational standards to gain a meaningful figure.
The benefits of COBIT
Like most other ITSM frameworks, COBIT also helps organizations improve their ITSM. In particular, it helps organizations to:
- Standardize their IT processes
- Make the IT infrastructure more efficient
- Help the company organize and get the most out of their IT resources
- Stay compliant
The last item is why COBIT is mainly known for. In this sense, COBIT helps organizations stay compliant with the various legal requirements of the industry, as well as contractual agreements they have with their clients. The framework helps organizations manage their compliance, financial, and cybersecurity risk effectively.
COBIT is also a great framework for stakeholders and company executives to control the IT operations with a holistic view of the entire organization. The framework lets executives dictate organizational goals and link every IT process to them. COBIT gives executives tools to execute their vision for the organization at every level.
The COBIT maturity model is popular among organizations for setting expectations and helping them achieve goals. It helps organizations understand where they’re at and where they need to be in terms of their capabilities in different processes. COBIT helps organizations set measurable goals and clear indicators of success.
Different organizations will have different IT requirements and they need a framework that can be adapted to their unique needs. This is what COBIT delivers.
The framework offers a collection of activities, processes, and management objectives. Practitioners essentially get to choose and build a solution from this collection that’s perfectly suited to their requirements. Organizations can bring in the frameworks they’re already using, such as ITIL and DevOps, when implementing COBIT.
After this thorough description of the COBIT framework, it's time to recap its most relevant aspects:
- COBIT is famous for its focus on IT governance since it helps organizations stay compliant with legal requirements and client contracts.
- This is actually the main difference between COBIT and ITIL: the latter focuses on delivering the best IT services to the client, and making sure that both the client and the service provider are on the same page for ITSM.
- The five components in the framework guide organizations to set up their IT infrastructure, and use their IT resources and processes efficiently to meet the business requirements.
Due to the fact that, in its origins, the COBIT framework was designed to simplify for financial auditors the management of IT aspects within an organization, it's a robust model to measure and set goals for capability.
And the good thing is that it can work perfectly with other frameworks like ITIL and DevOps.
Frequently asked questions
What does COBIT stand for?
COBIT stands for Control Objectives for Information and Related Technology. The framework was developed by ISACA and was first released in 1996.
What is COBIT 5?
COBIT 5 was the last version of the COBIT framework to be released with a name referring to the version number. It was released in 2012 and drew on COBIT 4.1, VAL IT 2.0, as well as other products from ISACA. It still remains one of the most popular COBIT versions.
What is the purpose of COBIT?
Like other ITSM frameworks, the purpose of COBIT is to manage the IT infrastructure of an organization. The framework was initially designed to bring the financial side of the business more in sync with the IT aspects and this reflects even in current iterations; COBIT is still about linking business requirements with IT processes.