COBIT® stands for Control Objectives for Information and Related Technology. What is it? Put simply, it is a framework for enterprise wide governance to include business functions, information and information technology resources. The COBIT® framework provides a structure upon which to build an enterprise governance program. Whereas previous versions of COBIT® enumerated and focused on control objectives, the latest version of COBIT®, version 5, has transitioned to governance and management guiding principles and enablers. The framework is becoming less recognized by its expanded definition (Control Objectives for Information and Related Technology) and is today essentially referred to as just COBIT®.
COBIT® is not prescriptive in nature. It outlines a high level approach for implementing a governance program that extends across the entire enterprise and can involve everyone (depending on the level of implementation) from the Chairman of the Board down to the employees in the various departments of the organization. At the heart of COBIT® 5 are five key principles and seven enablers. This blog post is intended as introduction to and summary of COBIT® 5 and will cover the key principles and enablers at a high level and end with a few thoughts on implementing COBIT®.
THE FIVE KEY PRINCIPLES OF COBIT®
One of the primary points of emphasis of the five key principles is to optimize investments made in information technology and leverage the gains for the benefit of the organizational stakeholders. Taken from the COBIT® 5 documentation, Figure 1 depicts the five key principles of COBIT®.
Figure 1 – 5 Key Principles of COBIT® (COBIT® 5, © 2012 ISACA All rights reserved. Used with permission)
Principle 1: Meeting Stakeholder Needs
A stakeholder is someone who has an investment or a vested interest in the enterprise. In COBIT®, stakeholders are divided in to two groups: internal stakeholders and external stakeholders. Internal stakeholders consist of individuals ranging from board members down to IT managers and IT users. External stakeholders include the enterprise’s business partners, shareholders and customers, to name a few. As a primary governance objective of COBIT®, the Meeting Stakeholder Needs principle is focused on creating value for the stakeholders. With internal and external stakeholder groups, and many categories within each group, creating value for stakeholders can be difficult as value for one may not be value for another.
As part of the governance effort, enterprises must judge the value proposition against the risks to the enterprise and the resources required to obtain value. To assist in this process, COBIT® defines the goals cascade. The image that came to my mind regarding the goals cascade is that of a multi-level waterfall where the water source started at the top and flowed down into multiple pools of varying heights, each full and spilling into the next. It is the same for the COBIT® goals cascade. In order to meet stakeholder needs, these needs have to be translated into a set of measurable actions (goals) at the enterprise level. The enterprise goals are driven by factors such as regulations, strategy and advances in technology. Called stakeholder drivers, these drivers influence the stakeholder needs. Three high level stakeholder needs defined by COBIT® are Benefits Realization, Risk Optimization and Resource Optimization. Stakeholder needs then “flow” into goals set at the enterprise level which then flow down into IT related goals which are supported by enabler goals. Figure 2 shows a depiction of the COBIT® Goals Cascade adapted from COBIT® 5.
Figure 2 – COBIT® Goals Cascade
Principle 2: Covering the Enterprise End-to-End
This COBIT® 5 principle denotes the coverage of the COBIT® 5 governance framework; it includes all functions and processes needed to execute a governance program for information and related technologies. COBIT® 5 is comprehensive, establishing governance capabilities ranging IT services to business process functions enabled by the people, processes and technology of the enterprise.
Principle 3: Applying a Single Integrated Framework
The COBIT® 5 governance framework is non-technical and technology agnostic. It allows for the alignment and integration of other frameworks, such as ITIL, TOGAF and ISO, as well as supporting standards and practices. It is designed to produce a consistent product set and contains a set of good practices that support the COBIT® enablers.
Principle 4: Enabling a Holistic Approach
The principle of holism denotes that the existence of an entity is greater than just the sum of its parts. In the context of COBIT® 5, the seven categories of enablers provide support to the principle of holism in that they, in effect, enable or provide “power” to the entire enterprise governance process to include governance of IT. At the base of the goals cascade are the enabler goals. Working upstream, the enabler goals make possible the IT related goals which, in turn, support the enterprise goals that are established to meet stakeholder needs. Figure 3 below identifies the COBIT® 5 enterprise enablers.
Figure 3 – COBIT® Enterprise Enablers (COBIT® 5, © 2012 ISACA All rights reserved. Used with permission)
- Principles, Policies and Frameworks provide the mechanism to convert desired behavior into guidance for the daily management of the enterprise. The principles, policies and frameworks employed by an enterprise have an impact on the other enterprise enablers.
- Processes define a set of actions targeted to achieve the goals of the enterprise through the outputs produced by the process.
- Organizational structures consist of the decision making bodies within the enterprise.
- Culture, Ethics and Behavior are often not considered to be influential in an enterprise, but can be powerful elements that help drive toward successful achievement of enabler goals, IT related goals and enterprise goals.
- Information is the life-blood of an organization and is required for effective governance of the enterprise.
- Services, Infrastructure and Applications are the means by which information technology products and services are deployed in an enterprise and effectively support the generation of information.
- People, Skills and Competencies are the ultimate catalyst within the enterprise structure. Without skilled and competent people, solid decision making is jeopardized, course corrections are not issued and a focus on attaining goals throughout the goals cascade is difficult to achieve.
These seven enablers are intertwined and dependent upon each other. The output of one enabler also serves as the input to another. For example, organizational structures consist of competent and skilled people that use information to make decisions regarding principles, policies and processes for the enterprise.
Principle 5: Separating Governance from Management
From the COBIT® 5 perspective, governance and management are two separate and very distinct enterprise elements that are executed by different organizational structures. From COBIT® 5, “Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives,” and “…governance is the responsibility of the board of directors under the leadership of the chairperson.” Management, on the other hand, is the responsibility of the executive leadership of the enterprise lead by the Chief Executive Officer (CEO). Those in management positions are responsible to “[plan], [build], [run] and [monitor] activities in alignment with the direction set by the governance body to achieve the enterprise objectives.” COBIT® 5 defines and describes processes that support both governance and management of enterprises. Figure 4 depicts the interactions between governance and management within an organization.
Figure 4 – COBIT® 5 Governance and Management Key Areas (COBIT® 5, © 2012 ISACA All rights reserved. Used with permission)
Under the realm of governance, the practices of Evaluate, Direct and Monitor are established and are part of each of the governance processes defined by the COBIT® 5 governance and process reference model. Within the management realm, four domains (Plan, Build, Run and Monitor) are supported by multiple processes. Each of the four management domains is further decomposed as follows:
APO: Align, Plan and Organize (APO) with 13 supporting processes
Build: Build, Acquire and Implement (BAI) with 10 supporting processes
Run: Deliver, Service and Support (DSS) with 6 supporting processes
Monitor: Monitor, Evaluate and Assess (MEA) with 3 supporting processes
A FEW THOUGHTS ON IMPLEMENTING COBIT®
Just as with every significant enterprise initiative, the board and executive leadership must be supportive and “buy in” to implementing COBIT®. Without their support, the roots of the COBIT® effort will be shallow and not be able to support a COBIT® implementation across the enterprise. As a framework, COBIT® is adaptable to large and small enterprises alike. The key is to adjust the framework to the conditions of your enterprise environment and let your enterprise strategy, mission, vision, culture and risk appetite help structure your COBIT® implementation.
Ray Dunham started his career as an Air Force Officer in 1996 in the field of Communications and Computer Systems. Following his time in the Air Force, Ray worked in the defense industry in areas of system architecture, system engineering, and primarily information security. Ray leads L&C’s FedRAMP practice but also supports SOC examinations and HITRUST assessments. Ray enjoys working with clients to secure their environments and provide guidance on information security principles and practices.