When ISACA announced it was replacing COBIT 4.1 with a new version of the framework, some experts were skeptical. COBIT 4.1 was easy. The content was very familiar. If additional information not covered in COBIT was needed, another document like Val IT or Risk IT could provide more details. But it turns out, there was a much more organized approach to the framework, and COBIT 5 did just that. Not only did it incorporate several other ISACA documents (e.g., Val IT or Risk IT) into this one overarching framework, it also incorporated some additional major frameworks and standards from the industry.
However, the COBIT 5 product family has a lot of documents to choose from, and sometimes it is tough to know exactly where to look for specific information. A common question a lot of new COBIT users ask is, “Which document do I look to for (fill in the blank)?” A key principle of COBIT 5 is to integrate all knowledge previously dispersed over different ISACA frameworks. So what does this mean? The COBIT 5 product family is now the starting point and provides direction for where to look for additional information. The product family is neatly organized into logical groups of documents, starting with COBIT 5, and supported by enabler and professional guides that contain the details of almost anything that might be needed. Additionally, with the recent launch of COBIT Online, searching the framework has become very easy.
So, if you are at all confused about what is in these products, the following offers a description of each product and why it is useful.
Figure 1—COBIT 5 Product Family
Source: ISACA, COBIT 5, USA, 2012
This is the core document to go to for an end-to-end business view of the governance of enterprise IT (GEIT). It is also known as “A Business Framework for the Governance and Management of Enterprise IT.” Surprisingly, at 94 pages, this is not a huge document. It explains the overall structure of the framework, particularly the 5 principles and 7 enablers. It is worth noting that the COBIT 5 framework itself is the 5 principles (documented on pages 17-34, so 17 pages for the core framework guidance). The best part is the description of the goals cascade in the appendices, which in my opinion is one of the best kept secrets in the industry. Also, when studying to take the foundation exam, spend some time in appendix G, which outlines some great nuggets on the 7 enablers.
COBIT 5: Enabling Processes
COBIT 5: Enabling Processes is a detailed reference guide to the processes defined in the COBIT 5 process reference model. For every process there is a description; purpose; goals and metrics; practices; activities; Responsible, Accountable, Consulted and Informed (RACI) matrices; and inputs/outputs. Additionally, there is a reference to an industry best practice as well. At first glance, this looks like just a bunch of tables and lists, but do not be fooled: This is the authoritative guide for process governance, and it is impressive.
COBIT 5: Enabling Information
Want a structured way of thinking about information governance and management? Look no further than COBIT 5: Enabling Information, because this is it. This publication includes a comprehensive model that comprises all aspects of information and can be applied throughout the entire life cycle of information, from concept and design to assurance, to disposal. The best part? It addresses multiple issues from the perspective of applicable enablers (yes, the same enablers found in the COBIT 5 framework).
COBIT 5 Implementation
This publication provides a good-practice approach for a governance implementation based on a continual improvement life cycle. If it sounds too good to be true, take a chance and dive into this gem. The utility of this approach is that it is continuous and leverages 7 essential steps that are further broken down into 3 focus areas (program management, change enablement and continual improvement tasks). This approach has proven to be logical and adaptable, and COBIT 5 Implementation is recommended as essential reading for anyone attempting to adopt a governance program.
COBIT 5 for Information Security
There is a general awareness that information security is a pretty hot topic right now, which is why spending some time getting to know this publication is highly recommended. COBIT 5 for Information Security is the most complete and up-to-date guidance that incorporates COBIT with aspects of many globally accepted standards and practices today. It is not only useful for security professionals, but IT and business users as well. Even those who do not consider themselves to be security professionals will find that the appendices provide some great detailed security information in each of the 7 COBIT enablers that is easy to understand and useful.
COBIT 5 for Assurance
This publication is for auditors. COBIT 5 for Assurance will not only help improve an assurance approach, but supports this approach with a clear picture of the audit function with respect to information assurance planning, scoping and executing IT assurance initiatives. However, the name does not say it all. There is a gold mine of rich information for IT professionals as well. It should not be a surprise by now that this is also organized by enablers, which is consistent with the entire COBIT product family.
COBIT 5 for Risk
Do not be fooled by its title. This document is not just about IT risk, it is about business risk. More specifically, the business risk associated with the use, ownership, operation and involvement of IT in an enterprise. I just recently used this document while working with a client on creating an enterprise risk register and found that COBIT 5 for Risk has done a lot of the groundwork already. What may not be known about this document is that it outlines 111 generic risk scenarios that can be tailored to fit most any organization. It has been used this way in real-world scenarios, and others should use it, too.
COBIT 5 Online
Are you looking for an easy way to search all of the COBIT 5 products for a particular area? Try searching COBIT Online. Do you need a flexible tool to create a customized goals cascade and associated RACI matrix? Try COBIT Online. If you are using or plan on using COBIT, give COBIT Online a try. In addition to getting COBIT documentation, COBIT Online provides timely news and insights, social collaboration, and many other great nuggets. It should be noted that much of the functionality mentioned is only available to ISACA members.
Additional Uses of the COBIT 5 Framework
This article focuses on COBIT 5’s core publications. ISACA also uses the COBIT 5 framework as the basis of practical guidance that addresses key GEIT issues that enterprises experience. These include: COBIT 5 Principles: Where Did They Come From?, Controls and Assurance in the Cloud: Using COBIT 5, Relating the COSO Internal Control—Integrated Framework and COBIT, Vendor Management: Using COBIT 5, Securing Mobile Devices, Transforming Cybersecurity, Configuration Management Using COBIT 5 and IT Control Objectives for Sarbanes-Oxley: Using COBIT 5 in the Design and Implementation of Internal Controls Over Financial Reporting, 3rd Edition. It is worth noting that an enterprise does not need to be a COBIT 5 user to get value from using these guides. Indeed, the issues they address are often found to be a great way to start using COBIT 5 in practice, helping to address an issue that the enterprise needs to get under control.
Mark Thomas, CGEIT
Is an internationally known IT governance expert and the president of Escoute Consulting. His background spans more than 20 years of professional experience including leadership roles from chief information officer (CIO) to management and IT consulting. Thomas has led large teams in outsourced IT arrangements, managed enterprise applications implementations, and implemented governance and risk processes across multiple industries. Additionally, he has forged a reputable competency as a consultative trainer and speaker in several disciplines including COBIT, ITIL and IT governance.