• Bookmark

Using Versus Implementing COBIT 5

By Barry D. Lewis, CISM, CGEIT, CRISC, COBIT Foundation, CISSP

COBIT Focus | 22 June 2015

Enterprises are being encouraged to implement COBIT to improve their governance of enterprise IT (GEIT) and this is good advice. However, many enterprises are understandably reluctant to undergo such a massive project, or have difficulty obtaining senior management buy-in due to budget, staffing or indecision over benefits. A couple of countries are pursuing COBIT 5 through legislation or government initiatives, such as Turkey (in financial institutions) and, more recently, Bahrain.1

These are undoubtedly useful methods, but what can all the remaining governments and businesses do to improve their GEIT when faced with the above difficulties? There are numerous benefits to COBIT 5, including:

  • Reduced costs
  • IT-business alignment
  • The benefits realization of IT investments
  • The ability to meet regulatory and compliance requirements
  • Reduced IT-related business risk

COBIT 5, therefore, offers enterprises obvious benefits for bringing its processes, practices and activities into day-to-day governance. In North America, the number of enterprises implementing COBIT is quite low, yet arguably, the need for such governance has never been higher.

In my COBIT 5 Foundation classes, I typically exhort the attendees to focus on using COBIT, not implementing it. Why is this an important distinction?

Implementing COBIT requires a sound business case combining effective sponsorship, scope, involvement of key stakeholders, business benefits, costs, risk and numerous other typical elements. Documenting these and ensuring that an enterprise’s implementation business case will be successful can be challenging.

Using COBIT 5, however, can be done with little to no upfront effort. In the end, both methods will provide an enterprise with the benefits of COBIT 5 in varying degrees over time. The overall GEIT can be improved and the benefits of this framework can be obtained by picking and choosing key aspects of COBIT 5 rather than attempting to begin, what might be seen as, the huge project of implementation. Naturally, one of the first things to remember is that COBIT 5 is generic, not prescriptive, and so the first task might be to modify it as needed to ensure that it fits your enterprise needs.

The following sections provide tips for using COBIT 5.

Use COBIT 5 for Gap Analysis

Many enterprises are unaware of their current state of governance. There are 3 high-level methods that can be used to get a feel for the degree of compliance in your enterprise.

  1. Use the 37 processes, with descriptions and goals in a workshop format. By ensuring the appropriate business owners, IT and executives are present, one can quickly determine a gut feel for the level of governance via a review of each process and determination of the general understanding of the enterprise’s compliance with GEIT.
  2. For a more detailed analysis, use the 210 practices instead and follow the same path as above, only at this more discrete level of detail.
  3. Finally, do an in-depth analysis using the 1,111 activities. This obviously requires more time and numerous workshops, but can readily supply a level of detail that allows the enterprise to focus its governance efforts while understanding what it is already doing right.

Naturally, this also provides audit with a methodology for performing governance audits. Of course, remember that Processes is only one of the 7 enablers. With more time and resources, you might consider adding to the above, in similar degrees of detail, data on the remaining enablers: Principles, Policies and Frameworks; Organisational Structures; Culture, Ethics and Behaviour; Information; Services, Infrastructure and Applications; and People, Skills and Competencies.

Use the Goals Lists to Help With Translation

One of the difficulties in most enterprises is the language barrier. I am not referring to countries of origin here, but rather the language of IT and the very different language of business. The goals cascade allows an enterprise to take stakeholder needs down through enterprise goals to IT goals and on to the COBIT processes needed to support those stakeholder needs. The two goals lists (enterprise and IT) provide a ready translation between business and IT. All that is needed is to make sure each area of the enterprise uses the lists to help ensure an appropriate understanding when discussing the goals of the business and the methods of supporting the goals within IT.

Figure 1—COBIT 5 Enterprise Goals

Source: ISACA, COBIT 5, USA, 2012

Figure 2—COBIT 5 IT-related Goals

Source: ISACA, COBIT 5, USA, 2012

Use the Goals Cascade to Help Solve Stakeholder Needs

A primary benefit of COBIT is the goals cascade.2 An enterprise does not need to implement COBIT 5 to make good use of the framework. By listening to stakeholder complaints, one can learn their key issues and then focus on the key COBIT processes that will help reduce or eliminate those key needs by following the mapping provided in the goals cascade.

This is an immensely beneficial tool regardless of whether COBIT 5 has been formally introduced into the enterprise. Naturally, the ideal is to always obtain senior management approval and a formal justification for bringing the framework into the enterprise. The point is this does not necessarily mean a formal implementation project and the resulting wait for business case approval, project setup and implementation of key deliverables. The goals cascade can be used within an enterprise without much preplanning.

Figure 3—COBIT 5 Goals Cascade Overview

Source: ISACA, COBIT 5, USA, 2012

Use the Pain Points Mapping to Improve Governance

COBIT 5 Implementation has much to offer even if the enterprise is not formally implementing COBIT 5. One key area to pull from the guide is the already-provided mapping between pain points and the relevant COBIT 5 processes.3 ISACA has developed a list of common pain points (or trigger events if one wants to focus on those instead). This list can be used to pull from and to determine what the key difficulty is in the enterprise (ask senior executives) and know which COBIT processes are needed to resolve a particular pain point.


This short article strives to ensure that enterprises realize many parts of COBIT can be used either individually or as part of a formal integration of COBIT into an enterprise. Both methods can coexist and assist the organization. Using COBIT 5 eventually reaches the same goals as implementing COBIT 5, albeit through a less formal, yet possibly more practical path, especially for enterprises that struggle to get approvals for large projects.

Barry D. Lewis, CISM, CGEIT, CRISC, COBIT Foundation, CISSP

is president of Cerberus and has more than 40 years of experience in information technology, specializing in information security and IT governance for more than 30 years. He began work in the consulting field in 1987 and worked for two major audit firms before starting his own company in 1991 and joining Cerberus in 1993. He was awarded the John Kuyers Best Speaker/Conference Contributor Award in 2008. Lewis is coauthor of numerous books, including Computer Security for Dummies, Teach Yourself Windows 2000 Server in 21 Days and Wireless Networks for Dummies. His books have been translated into numerous languages around the world. Lewis lectures and consults worldwide and has led seminars for ISACA globally.


1 Sugumaran, H.; K. Al-Mutawah; Z. A. Al-Khaja ; “ Bahrain Government Embraces COBIT 5 Governance and IT Management,” COBIT Focus, 18 May, 2015
2 ISACA, COBIT 5, USA, 2012, Chapter 2
3 ISACA, COBIT 5 Implementation, USA, 2012, Appendix A