COBIT 2019 – the Key Changes to COBIT 5

Hopefully you saw my COBIT 2019 blog in November – but when I wrote it I hadn’t seen the detail of what had changed in this new version of COBIT. This blog should make amends, as I try to concisely share the key changes – as COBIT 2019 serenely rises from the ashes of COBIT 5 (and if you don’t get my phoenix metaphor, then I need to state that this is a good – not a bad – thing).

So, please read on to understand much of what’s new, and valuable for IT service management (ITSM) pros, in COBIT 2019. But first I need to position COBIT…

Making Sense of COBIT in the Context of Other ITSM Approaches

The main thing that needs stating – and this isn’t new for COBIT 2019 – is that COBIT is not an “ITSM approach.” That while many of us have said, for what seems countless years, that COBIT is complementary to ITIL (or other ITSM approaches), we need to recognize that COBIT is an enterprise information and technology (I&T) governance and management framework.

There’s also an important point to note within this – that governance and management are two separate things. In fact, the COBIT 2019 Framework Introduction and Methodology document very kindly makes a distinction between the two, stating that:

“These two disciplines encompass different activities, require different organizational structures, and serve different purposes.”

And that:

• “Governance ensures that:
  • Stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives.
  • Direction is set through prioritization and decision making.
  • Performance and compliance are monitored against agreed-on direction and objectives.”
• “Management plans, builds, runs, and monitors activities, in alignment with the direction set by the governance body, to achieve the enterprise objectives.”

Why Did COBIT 5 Need Updating?

The short answer is probably: It was time.

And ISACA is very open in explaining the need for the COBIT update, including that:

• It’s an opportunity to reiterate the importance of governance
• COBIT 5 is six years old (having been born in 2012) – the world has changed, and IT has changed (in terms of both technology and industry trends), a lot since then
• There was a need to reflect changes in other frameworks and standards – these are shown in the ISACA slide below:

Source: ISACA (2018)

Amazingly, the linkages to this related guidance has increased 10-fold since COBIT 5.

COBIT 2019 is also an opportunity for ISACA to:

• Widen the target audience for COBIT
• Rediscover, or relaunch, some of COBIT’s “hidden gems”
• Address COBIT 5’s “imperfections”

Sometimes Small Changes Denote Big Things

Before digging into the real changes, have you noticed (above) that the COBIT logo has changed with COBIT 2019? Us puppets have quite the eye for detail.

Are you there yet? There’s of course a new number. Then there’s the different font (versus the COBIT 5 logo). But the real change is the O, with the reddish arrow denoting … well, I might as well use ISACA’s words here:

“To remain relevant, it is imperative that COBIT continues to evolve requiring more frequent and fluid updates. The red arrow symbolizes this notion of continuous evolution.”

What ISACA calls an “open-source” model has been adopted for COBIT 2019. This involves the ability for people to proactively provide feedback and propose enhancements, with further COBIT evolutions released as needed.

COBIT 2019’s New/Updated Coverage Areas

In its initial “marketing,” ISACA highlighted some of the areas of new/updated coverage as:

• New processes for data, projects, and compliance (more on this in a moment)
• Updates to cybersecurity and privacy
• Updated linkages to all relevant standards, guidelines, regulations, and best practices (as already outlined above)

So, while COBIT 2019 keeps the same five governance and management objectives as COBIT 5:

Source: ISACA (2018)

These five objectives domains now contain 40 processes – up from COBIT 5’s 37. There’s a new one related to Managed Data. Then two of COBIT 5’s processes have been split in two due to their size and content differences – Manage Programs and Project is split into Managed Programs, and Managed Projects. And Monitor, Evaluate and Assess the System of Internal Control is now Managed System of Internal Control and Managed Assurance. Although ISCACA states that the actual content hasn’t changed too much here.

These 40 – okay, 37 – processes were collectively known as the Process Reference Model (PRM) in COBIT 5. In COBIT 2019 they’re now the COBIT Core Model – and the reason why will be explained in a moment when I cover variant components, focus areas, and the COBIT Design Guide.

You might have also noticed a change in the process-name structure, with the death of the verb (manage) in favor of an adjective (managed). For example, COBIT 5’s Manage Strategy is now Managed Strategy in COBIT 2019. Sorry to get all grammar on you.

COBIT 5’s Enablers Have Been Renamed to Components (Plus They Now Have Variants)

COBIT 2019 defines the components to build and sustain a governance system: processes, organizational structures, policies and procedures, information flows, culture and behaviors, skills, and infrastructure (with these seven components previously termed “enablers” in COBIT 5).

These components (of a governance system) can be either generic or “variants of generic.” Generic components are described in the COBIT Core Model and apply in principle to any situation (although they “generally need customization before being practically implemented.”) Whereas variants are based on the generic components but tailored for a specific purpose or context within a focus area. For instance, information security, DevOps, or in the context of a particular regulation.

The number of potential focus areas is considered virtually unlimited – which makes COBIT open-ended. With both information security and DevOps, along with small and medium enterprises and risk, the first four focus areas to be worked on by COBIT’s collaborators.

Design Factors Are New to COBIT 2019

COBIT 2019 offers up 11 design factors that influence the sort of governance system your organization needs. These are shown in the image below:

Source: ISACA (2018)

Design factor influence can make some governance and management objectives more important than others. Which elevates the required capabilities (something else that’s new in COBIT 2019 – and there’s more on this in a minute). And design factors can influence the importance of one or more components or require specific variants.

To help with this, especially in speeding up “time to value,” a new Design Guide and an updated Implementation Guide are included in the COBIT 2019 portfolio.

COBIT Performance Management Is Also New to COBIT 2019

COBIT Performance Management (CPM) refers to how well your organization’s governance and management system, plus all of the components, work. With it considered an integral part of the COBIT framework.

This new model is heavily inspired by CMMI – with 0-5 scoring of processes within each of the governance and management objectives. It’s worth noting that the new scoring mechanism is different to COBIT 5 scoring, with Level 2 now the basic level (of capability), and Levels 3 and above adding sophistication. Each process activity is also associated with a capability level.

So, much has changed with COBIT 2019. And while this blog is already long, I’m sure I could have found even more to write about. Once you get a chance to look at the new COBIT 2019 publications, please add to my list of changes (versus COBIT 5) by posting in the comments.