CobiT (“Control Objectives for Information and Related Technology”) was introduced in 1996, and more widely adopted by the business community in the United States in 2002, becoming the framework for evaluating internal controls. The newest issue of ITPP contains revisions and updates to CobiT as it continues to evolve to reflect the role of IT in business.
CobiT 5 was released in 2012. It takes a higher-level governance approach, focusing on stakeholders and their needs. It incorporates the internal control focus of earlier versions of CobiT but goes beyond them. A diagram of the CobiT 5 principles is shown below.
Differing from other formats for internal control, CobiT focuses on information technology as it functions in a business. The approach is holistic, integrating the needs of regulating an organization internally with the priorities of a thriving business. The two objectives, that is, running a smoothly-operating organization within a successful business are of course dependent on each other, though integrating the principles therein is not necessarily clear.
The guidelines within CobiT seek to harmonize these operations. As technology in particular evolves so rapidly, new changes to the mandates in CobiT keep businesses functioning well, making the most of information technology’s tools. Learn more in ITPP’s latest update.
How can I use ITPP to. . . understand CobiT 5?
Information Technology PolicyPro (ITPP) published by First Reference Inc. includes a succinct introduction to CobiT 5 (as well as our own Canadian IT-control model). You may find it helpful to review it to gain an overview of the new CobiT 5 IT control model, released in 2012.
CobiT 5 divides its 37 governance and managing processes into five broad categories (called “domains”). Those enabling processes are mapped to 17 IT-related goals and to process goals and metrics.
For example, the first domain, “Evaluate, direct, and monitor”, relates to board-level governance over enterprise information technology, the other four domains relate to management of enterprise information technology.
The 17 IT-related goals in the CobiT 5 model (as shown below) are based upon the “balanced scorecard” framework that divides goals between financial, internal processes, customer-based, and learning and growth.
- Alignment of IT and business strategy
- IT compliance and support for business compliance with external laws and regulations
- Commitment of executive management for making IT-related decisions
- Managed IT-related business risk
- Realized benefits from IT-enabled investments and services portfolio
- Transparency of IT costs, benefits and risk
- Delivery of IT services in line with business requirements
- Adequate use of applications, information and technology solutions
- IT agility
- Security of information, processing infrastructure and applications
- Optimization of IT assets, resources and capabilities
- Enablement and support of business processes by integrating applications and technology into business processes
- Delivery of programs delivering benefits, on time, on budget, and meeting requirements and quality standards
- Availability of reliable and useful information for decision making
- IT compliance with internal policies
- Competent and motivated business and IT personnel
- Knowledge, expertise and initiatives for business innovation
Learning and Growth
Source: CobiT 5 A Business Framework for the Governance and Management of Enterprise IT, ISACA, 2012, page 52.
ITPP release 2012-03
With this ITPP release we start the process of converting the cross-references in this book from CobiT 4.1, (published in 2007) to CobiT 5, (published in 2012). Previously, every policy was cross-referenced to CobiT 4.1’s objectives. CobiT 5 takes a somewhat different approach, so the new references are to CobiT 5 “processes” and “IT-related goals.”
CobiT is published by the Information Systems Audit and Control Association (ISACA). It is an authoritative standard for IT controls, while the latest iteration expands the ambit to include governance and enterprise risk management.
This release consists of a replacement of the Introduction to ITPP (where the discussion of CobiT is updated), as well as to all of Chapter 1– Planning, which includes the following policies:
IT 1.01 – Strategic Planning identifies critical elements of the IT strategic plan and ensures that IT planning is aligned with the organization’s strategic goals.
IT 1.02 – Tactical Planning deals with the annual planning cycle and ensures that it is consistent with the strategic plan.
IT 1.03 – Implementation Planning provides overall policies for implementing and modifying systems and applications.
IT 1.04 – Site Planning addresses selection and preparation of a site for an IT installation.
IT 1.05 – Risk Assessment provides policies for dealing explicitly with risk identification and risk assessment.
IT 1.06 – Risk Management addresses procedures to review and manage IT risks.
The material has been updated and freshened, and cross-references and links have been replaced and updated.
Jeffrey D. Sherman
BComm, MBA, CIM, FCA