The ISACA has traded in the 7-year-old COBIT 5 for COBIT 2019. This 3-part article explains COBIT 2019, based on published ISACA guidance.
Overview of the changes
COBIT 2019 is still the enterprise governance of information and technology (EGIT) framework of choice and is still based on the principle that information and technology (I&T) is an enterprise-wide governance concern, not just an issue for the IT department.
COBIT 2019 introduces fundamental changes—it is more comprehensive, including new focus areas, new design factors, updated goals cascades, and new governance and management objectives (40 instead of 37). COBIT 2019 has responded to new technologies and business trends (for example DevOps and outsourcing). Going forward the framework will bear the name of the year of update.
The ISACA will continue to support COBIT 5. Information Technology PolicyPro will incorporate COBIT 2019, over time. Read more about COBIT 2019 here.
Inputs into COBIT 2019
COBIT 2019 has three main inputs:
- COBIT 5;
- Standards, frameworks and regulations: COBIT 2019 positions itself as the umbrella I&T governance framework, and as such, aligns with several standards, frameworks and regulations (some of which were changed or introduced in the years since COBIT 5), including:
- Cloud standards and good practices, for example, Amazon Web Services (AWS);
- Committee of Sponsoring Organizations (COSO) Enterprise Risk Management (ERM) Framework, June 2017
- CMMI Cybermaturity Platform, 2018
- HITRUST Common Security Framework, version 9, September 2017
- International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) standards
- Information Technology Infrastructure Library (ITIL) v3, 2011; and
- US National Institute of Standards and Technology (NIST) standards, including the Framework for Improving Critical Infrastructure Cybersecurity V1.1, April 2018; and
- Community contribution: As an open source model, COBIT 2019 encourages input on future changes from the global governance community, so that COBIT will always reflect the latest insights and evolutions.
So, what is governance?
COBIT 2019 continues to draw the clear distinction between governance and management, and continues to allocate spheres of responsibility and control, or what it terms domains, exclusively, to either governance or management. (Other articles in this series will explore governance and management goals, processes and domains).
Governance is the domain of the board of directors or like body. Boards evaluate strategic options, direct senior management on the chosen strategy and monitor the achievement of the strategy.
Under COBIT 2019, the board must ensure that the enterprise:
- Evaluates stakeholder needs, conditions and options, and determines balanced, agreed-on enterprise objectives;
- Sets directions through prioritization and decision-making; and
- Monitors performance and compliance against agreed-on direction and objectives.
And what is management?
Management is the responsibility of the enterprise’s executive management, led by a chief executive officer (CEO) or like person.
COBIT 2019, like its predecessor, requires that management plans, builds, runs and monitors activities in alignment with the direction set by the board. (Later articles in this series examine the “plan, build, run, and monitor” objectives and domains, which have changed under COBIT 2019).
COBIT’s distinction between governance and management is similar to the approaches of other standard-setters, for example COSO and the Institute of Internal Auditors (IIA). My blog entitled Implement effective governance practices in not-for-profits, examines this distinction in not-for-profit organizations. One of my other blogs entitled Internal audit is your third line of defense, examines this distinction under the IIA’s Three Lines of Defense Model, which COSO also promotes.
COBIT 2019 renames and changes the 5 core COBIT Principles under COBIT 5
COBIT 2019 includes two sets of principles related to governance systems and frameworks. There are:
- Six core principles or requirements of a governance system for EGIT; and
- Three principles which should form the basis of a governance framework.
The 6 principles which should form the basis of an enterprise’s governance system, are that:
- All enterprises need a governance system to identify stakeholder needs and generate value from the use of I&T;
- A governance system for enterprise I&T includes different types of components which work together holistically. Components include things like processes, policies, procedures and culture. (Read more about components below).;
- A governance system should be dynamic. When a design factor (for example the enterprise’s strategy or goals) changes, the enterprise must examine the effect on the EGIT system. (Read more about design factors below).;
- A governance system should clearly distinguish between governance and management activities, structures and domains. (Read more about this later in this series of articles).;
- An enterprise should tailor its governance system to its needs, using design factors (for example the enterprise’s strategy or goals) as parameters for customizing and prioritizing governance system components.; and
- A governance system must cover the enterprise from end to end, focusing not only on the IT function but on all I&T processing, regardless of the location of the processing within the organization.
The governance framework (such as COBIT 2019) which enterprises use to build a governance system, should be based on 3 principles. The principles are that the governance framework should be:
- Based on a conceptual model identifying key components and relationships among components, to maximize consistency and automation;
- Open and flexible, to facilitate the addition of new content and issues, while maintaining integrity and consistency; and
- Aligned to the major standards, frameworks and regulations.
COBIT 2019 checks all three boxes—recall the inputs to COBIT 2019, described above.
What are the components of an enterprise’s governance system? (COBIT 5 described these as enablers)
To satisfy COBIT 2019’s governance and management objectives, enterprises must establish, tailor and sustain a governance system consisting of several components which:
- Are factors that contribute to the good operation of the enterprise’s governance system over I&T;
- Interact with each other, resulting in a holistic governance system for I&T; and
- Are of different types, and include:
- Organizational structures;
- Principles, policies and frameworks;
- Culture, ethics and behaviour;
- People, skills and competencies; and
- Services, infrastructure, and applications.
Which stakeholders are relevant to an EGIT system?
COBIT 2019 requires that EGIT systems consider all enterprise stakeholders because enterprises must transform stakeholder needs into actionable strategy. Ultimately, stakeholder goals cascade or feed into governance and management objectives. (Later articles will explore goals cascade and management and governance objectives, and how COBIT 2019 has refreshed or updated these concepts).
COBIT 2019 recognizes both internal and external stakeholders and explains how each will benefit from COBIT 2019. Internal stakeholders include the board, executive management, business managers, IT managers, assurance providers (for example internal audit), and risk management. External stakeholders include regulators, business partners and IT vendors.
Stay tuned for the remaining articles in this series to better understand COBIT 2019.
Information Technology PolicyPro already includes coverage of strategies to help you introduce an effective EGIT system or improve the one you have. Read more about COBIT in the Introduction chapter to the manual. The manual will be updated on a rolling basis to reflect COBIT 2019.
Policies and procedures are essential to good governance and internal controls, but the work required to create and maintain them can seem daunting. Information Technology PolicyPro, co-marketed by First Reference and Chartered Professional Accountants Canada (CPA Canada) contains sample policies, procedures and other documents, plus authoritative commentary on EGIT, to save you time and effort in establishing and updating your internal controls and policies. Not a subscriber? Request a free 30–day trial of Information Technology PolicyPro here.