A New COBIT Is in Town and I Really Like How It Looks

By Mark Thomas, CRISC, CGEIT

Yazının orijinaline buradan ulaşabilirsiniz.


ISACA released the latest version of the COBIT framework and I can tell you without hesitation that this latest structure is one of the best governance and management frameworks to date for the enterprise governance of information and technology (EGIT). If you have not yet taken a look at COBIT 2019, now is the time.

There are 4 key publications in this release:

One of the things I like about ISACA’s approach is that the first 2 publications are free as PDF downloads to ISACA members and nonmembers. They can be downloaded on the COBIT 2019 web page. Books 3 and 4 are also free as PDF downloads to members.

Many of you know that I am a big fan of frameworks, and this new release of COBIT is a good one—a more comprehensive information and technology (I&T) governance and management framework. COBIT continues to establish itself as not only a generally accepted framework for I&T governance, but a framework that is aimed at the whole enterprise—which is to say, all of the technology and information processing an enterprise uses to achieve its goals. It is important to note that COBIT is not a framework that organizes business process, nor is it a framework for governing and managing all specific technologies. It focuses on the I&T components required to govern and manage the information that an enterprise receives, processes, stores and disseminates.

What Is New in COBIT 2019?

From my reading in these new publications, there are some major differences between COBIT 2019 and its predecessor, COBIT 5. These include modified principles; new focus areas; new design factors; an updated goals cascade; modified processes (from 37 to 40); updated performance management; the term “governance components,” which replaces the COBIT 5 enablers; and my personal favorite, new detailed governance and management objectives. There are so many positive changes that it is difficult to capture all of them here, so I am going to focus on how the new components and governance and management objectives interrelate. You may be wondering how processes fit into this. I will walk you through this.

Governance Components

In order to achieve governance and management objectives, enterprises should establish a governance system built from a number of components. “Components are factors that, individually and collectively, contribute to the good operations of the enterprise’s governance system over I&T.”1 These components include:

  • Processes
  • Organizational structures
  • Information flows and items
  • People, skills and competencies
  • Culture, ethics and behavior
  • Policies and procedures
  • Services, infrastructure and applications

You may remember these as enablers in COBIT 5. I loved the concept of enablers in COBIT 5, but it was very difficult to link them to practical uses in an enterprise. These components are now a key part of the COBIT 2019 framework based on how they are linked to the governance and management objectives.

Governance and Management Objectives

One of the key areas of delivering I&T value is to contribute to the achievement of enterprise goals (identified in the modified goals cascade). These objectives are organized in the same domains we have seen before (figure 1):

Figure 1—COBIT 2019 Domains

Each domain has a set of governance and management objectives. A governance or management objective always relates to one process and the related components to achieve the objective. Governance objectives are associated with Evaluate, Direct and Monitor (EDM), while management objectives are associated with Align, Plan and Organize (APO); Build, Acquire and Implement (BAI); Deliver, Service and Support (DSS); and Monitor, Evaluate and Assess (MEA).

There are 40 governance and management objectives, as seen in figure 2.

Figure 2—COBIT 2019 Governance and Management Objectives

Source: ISACA, COBIT 2019 Framework: Introduction and Methodology, USA, 2018. Reprinted with permission.

Known as the process reference model (PRM) in COBIT 5, COBIT 2019 identifies this as the COBIT Core Model. In this model, each of the 40 governance and management objectives relates to a process, which is one of the governance components. Now, how do all of these come together?

Using Governance and Management Objectives With Components

As mentioned, each of the governance and management objectives always relates to 1 process in the COBIT Core Model, so it should come as no surprise that the Core Model has 40 processes. Here is where this model is powerful. Remember, earlier I mentioned that the COBIT 5 enablers were difficult to link to the COBIT model? Well, now we see that each of these components (previously enablers) are used to describe all of the ingredients required to meet the objective.

In the COBIT 2019 Framework: Governance and Management Objectives publication, each of the governance and management objectives (also known as processes) is clearly described using the governance components as illustrated in figure 3.

Figure 3—COBIT Core Model and Components of a Governance System

Now that I have explained how these are linked, let us look at an example of how a governance or management objective is described. I will use BAI06 Managed IT Changes as an example.

High-Level Information
This includes the domain name, focus area, governance or management objective name, description and purpose statement (figure 4).

Figure 4—Display of Governance and Management Objectives

Source: ISACA, COBIT 2019 Framework: Introduction and Methodology, USA, 2018. Reprinted with permission.

Goals Cascade
This includes applicable alignment goals (formerly known as IT-related goals), enterprise goals and example metrics (figure 5).

Figure 5—Display of Applicable Enterprise and Alignment Goals and Example Metrics

Source: ISACA, COBIT 2019 Framework: Introduction and Methodology, USA, 2018. Reprinted with permission.

Related Components
As mentioned earlier, there are 7 components, which were referred to as “enablers” in COBIT 5. They are:

1. Processes
Every governance or management objective relates to one process, a key element. Within the Process component, not much has changed. We still see a set of management practices, example metrics and activities, as well as related guidance. Remember that related guidance is now provided for each of the governance components. One of the major additions to COBIT 2019 is that each activity is associated with a capability level (figure 6).

Figure 6—Display of Process Component

Source: ISACA, COBIT 2019 Framework: Introduction and Methodology, USA, 2018. Reprinted with permission.

2. Organizational Structures
The different levels of involvement can be divided into responsible and accountable levels. Enterprises should review levels of responsibility and accountability, consulted and informed (RACI), and update roles and organizational structures in the chart according to the enterprise’s context, priorities and terminology. Suggesting only responsible and accountable roles is different from COBIT 5; COBIT 5 included consulted and informed as well. Since consulted and informed roles depend on organizational context and priorities, they are not included in the new COBIT guidance (figure 7).

Figure 7—Display of Organizational Structures Component

Source: ISACA, COBIT 2019 Framework: Introduction and Methodology, USA, 2018. Reprinted with permission.

3. Information Flows and Items.
This governance component provides guidance on the information flows and items linked with process practices. Each practice includes inputs and outputs, with indications of origin and destination (figure 8).

Figure 8—Display of Information Flows and Items Component

Source: ISACA, COBIT 2019 Framework: Introduction and Methodology, USA, 2018. Reprinted with permission.

4. People, Skills and Competencies
This component identifies human resources and skills required to achieve the governance or management objective (figure 9).

Figure 9—Display of People, Skills and Competencies Component

Source: ISACA, COBIT 2019 Framework: Introduction and Methodology, USA, 2018. Reprinted with permission.

5. Culture, Ethics and Behavior
This component provides detailed guidance on desired cultural elements within the organization that support the achievement of a governance or management objective (figure 10).

Figure 10—Display of Culture, Ethics and Behavior Component

Source: ISACA, COBIT 2019 Framework: Introduction and Methodology, USA, 2018. Reprinted with permission.

6. Policies and Procedures
This component provides detailed guidance on desired cultural elements within the organization that support the achievement of a governance or management objective (figure 11).

Figure 11—Display of Policies and Procedures Component

Source: ISACA, COBIT 2019 Framework: Introduction and Methodology, USA, 2018. Reprinted with permission.

7. Services, Infrastructure and Applications
This component provides detailed guidance on third-party services, types of infrastructure, and categories of applications that can be applied to support the achievement of a governance or management objective. Guidance is generic (to avoid naming specific vendors or products).

Figure 12—Display of Services, Infrastructure and Applications Component

Source: ISACA, COBIT 2019 Framework: Introduction and Methodology, USA, 2018. Reprinted with permission.

Related Guidance

For each governance component, COBIT 2019 identifies the applicable standards, frameworks and compliance requirements that can be referenced. It also includes detailed references where available. Related guidance is found under each of the applicable components—this is different from COBIT 5 where this was applied only at the process level.

Keep an eye out for more of my perspectives on the new COBIT 2019 framework in upcoming articles. As always, your thoughts and perspectives are appreciated!

Editor’s Note

This article is reprinted from a blog post published by the author, Mark Thomas, available here.

Mark Thomas, CRISC, CGEIT

Is an internationally known IT governance expert and the president of Escoute Consulting. His background spans more than 20 years of professional experience including leadership roles from chief information officer to management and IT consulting. Thomas has led large teams in outsourced IT arrangements, managed enterprise applications implementations, and implemented governance and risk processes across multiple industries. Additionally, he is a consultative trainer and speaker in several disciplines including COBIT, ITIL and IT governance.

Endnotes

1 ISACA, COBIT 2019, USA, 2018