An Introduction to COBIT

2922128673_8a6f85a718_b

COBIT, formerly known as Control Objectives for Information and Related Technology, is a business framework for the governance and management of enterprise IT.

It was created by ISACA, an international professional association focused on IT governance formerly known as the Information Systems Audit and Control Association. ISACA describes itself as:

“… a nonprofit, global membership association for IT and information systems professionals.”

Both ISACA and COBIT have evolved over the years

In fact, the move from both ISACA and COBIT as acronyms to names in their own right is testament to this. With the ISACA name change reflecting its broader membership constituency rather than its early computer system auditing origins.

COBIT has seen a number of iterations since its launch in 1996, as shown in the following ISACA overview:

COBITSource

The latest version, COBIT5 launched in 2012, is described by ISACA as an internationally recognized “Business Framework for the Governance and Management of Enterprise IT” that:

“… builds and expands on COBIT 4.1 by integrating other major frameworks, standards and resources, including ISACA’s Val IT and Risk IT, ITIL (“the IT service management best practice framework formerly known as the IT Infrastructure Library”) and related standards from the International Organization for Standardization (ISO).”

ISACA also kindly created a COBIT 5 versus COBIT 4.1 comparison document (the download is situated at the bottom of the page) – something that was promised for ITIL 2011 but never appeared – which outlines what has changed between versions.

The principles of COBIT 5

These are probably best shown by the use of another ISACA graphic – again taken from a downloadable COBIT presentation.

COBIT

 

With ISACA describing the benefits of COBIT as helping enterprises to:

  • “Maintain high-quality information to support business decisions
  • Achieve strategic goals and realize business benefits through the effective and innovative use of IT
  • Achieve operational excellence through reliable, efficient application of technology
  • Maintain IT-related risk at an acceptable level
  • Optimize the cost of IT services and technology
  • Support compliance with relevant laws, regulations, contractual agreements and policies”

Thus COBIT is now very much a multi-headed beast.

 “There’s a COBIT for that”

There are numerous flavors of COBIT 5 for different corporate audiences and needs. So beyond governance it provides focused guidance on areas such as security, assurance, and risk. And practical books such as:

  • Controls and Assurance in the Cloud: Using COBIT 5
  • Securing Mobile Devices Using COBIT 5 for Information Security
  • Transforming Cybersecurity: Using COBIT 5
  • Configuration Management Using COBIT 5

Or “Vendor Management: Using COBIT 5” that provides practical advice for a variety of stakeholders involved in the vendor-management process, from the board and C-level executives to the legal department and IT. It outlines:

  • Life cycle stages and stakeholders
  • Good practices to manage threats and risk
  • How to manage a cloud service provider
  • Practical service level agreement (SLA) templates, checklists and examples (available for download in an online toolkit)
  • A case study outlining the consequences of ineffective vendor management
  • A high-level mapping of COBIT 5 and ITIL V3 for vendor management.

COBIT versus ITIL?

It’s a common question, but one that results in an answer the questioner doesn’t necessarily expect.

Rather than choosing ITIL or COBIT, many will recommend ITIL and COBIT – given that they are complementary rather than competing. With COBIT a framework of policies, processes, procedures, and metrics that can help give governance-related direction to IT service management operations and the associated ITIL processes. Importantly, COBIT can help guide an IT organization in what should be covered in IT and IT service management processes and procedures (and controls), which is a step beyond ITIL.

Renowned industry luminaries Rob England (the IT Skeptic) and James Finister are both advocates of the practical, “how to” focus of COBIT over ITIL.

Accessing COBIT

Not only is COBIT information available to download in PDF-form as of September 8, 2014 there is now an online version too (registration required).

Where, to quote ISACA, users can now:

  • Personalize the new Goals & RACI Planner for their enterprise or clients.
  • Quickly view timely content from ISACA and external sources covering top issues.
  • Easily search, filter and export COBIT 5 publications.
  • Comment and ask questions.

So check COBIT out. Many people will tell you that while COBIT can provide you with the “whys” and the “whats,” ITIL will provide you with the “hows.”

Image Credit