Case Studies

COBIT Case Studies by Industry

Consulting/IT
Education
Energy
Financial Services/Insurance
Government
Healthcare/Related
Manufacturing/Transportation

Submit your organization for a case study.

Consulting/IT

	How Used?	Why COBIT?
Sun Microsystems/Oracle January 2012	Sun/Oracle has found COBIT matrices and mapping documents very helpful when talking about how the various frameworks all fit together. The enterprise has successfully leveraged the concepts in the COBIT-related materials to create discussion of health and maturity self-assessments, provide a line of sight between its activities and its business goals, bring predictability and reliability to how the IT group plans and manages the work across the enterprise, and complement its corporate planning cycle with an “IT management cycle.”	COBIT provided a useful supporting toolset for the enterprise to govern and manage the IT contribution to the enterprise. COBIT harmonized the enterprise’s many existing frameworks. A COBIT champion ensured that the organization could get really serious about improving governance and management of enterprise IT. A COBIT-inspired model helped all groups see how their work fit under an overall umbrella and how their work related to each other’s work.

Maitland July 2011	Maitland utilized COBIT to create a shared understanding of information and communication technology (ICT) and its purpose and impact on the enterprise and to increase business oversight and accountability for ICT.	Is a globally recognized framework. Provides universally applicable governance principle Increases business oversight

Dongbu HiTek January 2009	The company used COBIT to standardize its business processes based on global standards, comply with K-SOX and ISO 27001, and implement IT governance for Real Time Enterprise (RTE).	It provides global best practices for IT business processes. It is complementary with major international standards, ITIL, the ISO 27000 series and PMBOK. It provides a common language.

Jefferson Wells, USA November 2007	Jefferson Wells used COBIT to assess existing controls and make recommendations on new controls for a client. For the IT controls, there is an assessment form that maps COSO to COBIT, and results are recorded directly into a database.	COBIT helped break down (COSO-related) information into understandable requirements. Comprehensive guidance helped the client’s organization build the high-priority controls it needs.

The Manta Group, Canada December 2006	COBIT helped clients improve their processes and achieve alignment with business goals through relevant and practical controls and metrics.	Is the only internationally accepted framework to provide a complete model for governing and attaining value from investments in IT Educated IT and business management regarding the value of IT governance

Sun Microsystems, USA June 2005	In light of Sarbanes-Oxley and other legislation, Sun’s IT department sought a common framework to view and measure IT’s alignment and contribution to the overall business strategy.	Supported IT control activities in a resource-constrained environment. Enabled a common language to be used across processes

Unisys Corporation, USA September 2005	COBIT helped Unisys standardize IT strategy to support global operations, align the IT infrastructure with the company’s overall business strategy and help with Sarbanes-Oxley compliance.	Is an external standard against which to be measured Provided a comprehensive view of the IT enterprise and a good approach to problem-solving

Education

	How Used?	Why COBIT?
Blackboard Inc. April 2007	COBIT is a powerful way to navigate change and improve IT governance.	Helps IT leaders assess current operations and incorporate them into due diligence activities Creates strong relationships with external auditors

Energy

	How Used?	Why COBIT?
Adnoc Distributions December 2008	Adnoc then implemented the three most important and relevant COBIT processes, according to the current budget and resources availability. The three processes selected focused on change management, business continuity and service level management. Currently, Adnoc uses COBIT in combination with other best practices, including portions of ITIL, as well as ISO 27001 and PMBOK standards. Additional COBIT processes, including one related to data management, have been identified for the next phase of implementation.	Adnoc felt that no other standard offered a complete framework to address all the elements of a process, including measurements, key performance indicators (KPIs) and key goal indicators (KGIs) Found to be more general and business-oriented than other standards/frameworks Encompasses most of the elements of an IT environment, while most other standards/frameworks focus on one respective area

Ecopetrol SA June 2010	The Information Technology Division chose COBIT as the proper IT governance framework to integrate an IT management system. Ecopetrol chose to implement 28 COBIT processes, giving priority to the control objectives that support Sarbanes-Oxley compliance.	It enables mapping of IT goals to business goals. It results in better alignment, based on a business focus. It provides a view of what IT does that is understandable to management. It indicates clear ownership and responsibilities based on process orientation. It is generally accepted by third parties and regulators.

How Used?

Why COBIT?

Adnoc Logo
Adnoc Distributions

December 2008

Adnoc then implemented the three most important and relevant COBIT processes, according to the current budget and resources availability. The three processes selected focused on change management, business continuity and service level management.
Currently, Adnoc uses COBIT in combination with other best practices, including portions of ITIL, as well as ISO 27001 and PMBOK standards.
Additional COBIT processes, including one related to data management, have been identified for the next phase of implementation.

Adnoc felt that no other standard offered a complete framework to address all the elements of a process, including measurements, key performance indicators (KPIs) and key goal indicators (KGIs)
Found to be more general and business-oriented than other standards/frameworks
Encompasses most of the elements of an IT environment, while most other standards/frameworks focus on one respective area

Ecopetrol SA

June 2010

The Information Technology Division chose COBIT as the proper IT governance framework to integrate an IT management system. Ecopetrol chose to implement 28 COBIT processes, giving priority to the control objectives that support Sarbanes-Oxley compliance.

It enables mapping of IT goals to business goals.
It results in better alignment, based on a business focus.
It provides a view of what IT does that is understandable to management.
It indicates clear ownership and responsibilities based on process orientation.
It is generally accepted by third parties and regulators.

Financial Services/Insurance

	How Used?	Why COBIT?
National Stock Exchange (NSE) of India Limited January 2012	NSE’s risk management framework was developed based on Risk IT, a component of COBIT. Due to the criticality of NSE’s business operations—and the frequent changes in its IT infrastructure—the decision was made to focus on risk management as an integral element of its day-to-day business processes. NSE concluded that changes in risk need to be tracked on an ongoing basis and defined a monitoring process for continuous updating of changes in the risk profile.	Risk IT provided control objectives to identify control gaps and to assess the impact of controls on the risk profile. Risk IT helped NSE build a uniform structure and view of IT risk across the organization. Risk IT provided a granular guidance on risk management processes. Risk IT helped to link IT risk with business objectives.

Grupo Bancolombia January 2011	Grupo Bancolombia used COBIT to create a shared vision, unique language, alignment between business strategic planning and IT strategic planning, and clarity in roles and responsibilities.	Is used worldwide by auditors to verify adherence to and compliance with IT internal controls Helps to ensure compliance with the US Sarbanes-Oxley Act and other global legislation Provides a proactive approach to improving technology processes and services

Banco Supervielle S.A. November 2010 (Spanish)	Banco Supervielle S.A. used COBIT to create an IT governance framework that enabled the bank to provide training and awareness of internal controls and best practices; to redefine roles, responsibilities and IT internal processes; to implement a control dashboard; and to initiate risk administration.	Recommended by the local ISACA chapter Most closely matched the bank’s needs Facilitated the bank in measuring its current maturity level, its desired maturity level and estimated time to achieve it

MetLife August 2010	Leveraged Risk IT to create a MetLife-specific IT risk management framework that allows management to consider all aspects of managing IT risk consistently across the enterprise and better connect it to business operational risk activities.	COBIT is a globally accepted source of best practices. Risk IT’s structure and contents are easily digested by risk professionals Plan to use the MetLife IT Risk Framework (based on ISACA’s Risk IT) to perform a process maturity analysis on an annual basis

A global bank July 2010	A global bank used COBIT successfully to provide a common language for multiple technology and business teams, streamline the company’s list of controls, and manage risk and control process for Sarbanes-Oxley and other regulations.	COBIT provided a common governance and assurance process across technology teams. COBIT helped in developing and managing a single list of controls for each type of risk. COBIT provided confidence to senior executives on the reporting and attestation process.

Blue Cross and Blue Shield of North Carolina And IBM Business Consulting October 2009	When developing a program that addressed Sarbanes-Oxley, the team realized that they needed the COBIT control framework because it allows them to “own” their IT controls.	COBIT is the only IT management and control framework that covers the end-to-end IT life cycle. COBIT maps 100% to COSO.


Central Bank of the Republic of Armenia February 2009	The IT audit division uses COBIT when performing audits, and risk assessments are conducted according to COBIT processes.	The board selected COBIT after conducting global research and finding that COBIT was well known and internationally respected.

ICW Group January 2009	ICW Group’s CIO presented the Val IT tool set from ISACA to senior management as the most effective way to both mature the organization and deliver high-quality solutions.	Val IT is helping the organization achieve ambitious goals by enabling it to make smart decisions that deliver the best business value. Val IT’s proven practices provide practical guidance that helps it reduce costs and increase control.

Pension–Fennia October 2008	Pension–Fennia used COSO ERM and COBIT to maximize its effectiveness and optimize the maturity of its controls. By using this combined approach, the organization was able to clarify the mutual goals and responsibilities of its business units and IT.	To use COBIT’s maturity approach as a complement to COSO ERM To deepen the synergy and mutual understanding between business units and IT, and between IT and its service providers.

Kuwait Turk Participation Bank April 2007	Kuwait Turk initially implanted COBIT to comply with requirements set by the Banking Regulation and Supervision Agency of Turkey (BRSA), but soon realized that the use of COBIT provided many additional benefits, including more controlled and integrated IT processes.	Came highly recommended Internationally accepted and easily maps to other leading standards

Canadian Tire Financial Services, Ltd. February 2007	COBIT helped communicate to IT and management why they needed to care about effective controls and provide a framework for implementation.	COBIT was selected as the framework with which to comply because its control objectives are internationally recognized and considered to be effective at controlling IT-related processes

Prudential, Asia September 2006	The adoption of COBIT was supported by Prudential’s CEO and board members. COBIT has helped Prudential’s Asia IT team achieve enhanced communication between IT and business operations and responsiveness in project management	Helped provide a uniformed platform to sustain growth and eliminate risks

Government

	How Used?	Why COBIT?
U.S. Department of Veterans Affairs June 2009	A new organizational structure for centralized IT management was based on industry best practices including COBIT and Val IT, both of which provide a framework for IT governance plans, structures and investments.	Bridges the gaps among control requirements, technical issues and business risks. Enables clear policy development and best practices Emphasizes regulatory compliance

Government of Dubai April 2009	The Financial Audit Department (FAD), the supreme audit institution of Dubai, recognized the need to promote, formalize and improve IT governance practices within Dubai as the extensive usage of IT is widely accepted as an essential component in providing services to citizens, residents and business entities.	Team members of the IS audit section of FAD are mostly members of ISACA who hold the CISA, CISM or CGEIT designation. COBIT had already been adopted as the resource serving as the overall framework for IS audit methodology since 2000. The team decided to promote the best practices of COBIT resources among its audit community. COBIT provides control objectives, control practice statements and other resources supporting assurance processes as a global reference framework and benchmark.

European Parliament January 2009	The European Parliament used the Val IT framework to implement a multi-annual IT plan, prioritising IT investments and business-as-usual work requests following solid, transparent, objective and widely accepted criteria, which are in line both with the IT strategy and with Parliament’s general long-term goals.	The European Parliament identified the right projects to implement, and has a way of following up on the benefits generated by these projects. Transparency allows EP to create consensus between business users and technical people that EP is doing the right thing, at the right time, within the constraints of the means available.

Ontario Pension Board September 2007	OPB uses COBIT for continual improvement of IT value and control. The self-evaluation process enabled development of a service catalogue and better alignment with OPB’s outsource service provider.	Provide better and more personalized service A comprehensive framework for IT governance that helps close gaps, optimize IT investments, ensure effective service delivery and provide measures

Region of Peel August 2007	Due to the financial significance of IT investment, length of time since the last review and the rate of change in IT, the Region’s CIO and director of Internal Audit agreed that an assessment be conducted using COBIT .	Represents consensus of global experts Strongly focused on control, and less on execution Peel Region’s experience with COBIT exceeded expectations

Bahrain Civil Service Bureau February 2007	After analysing existing internal controls using the COBIT framework, a maturity model matrix was prepared and COBIT controls were applied to eliminate weak points.	COBIT is the most comprehensive, globally respected framework. It can be customised for each organization. It is an effective framework for implementing and improving IT governance.

Healthcare/Related

Enterprise Date	How Used?	Why COBIT?
Hospital in Japan April 2012	After the successful implementation of a hospital information system (HIS), based on the COBIT approach. The organization continued to utilize COBIT as the overall guidance to distinguish clinical and IT risk management subjects/objectives; define appropriate system requirements, new business processes and performance indices; and establish appropriate new business and IT management/control processes.	COBIT helped to establish appropriate, well-organized, effective and efficient IT-related risk management. COBIT assisted the organization with risk management resources to implement processes and improve the lines of communication. COBIT helped in the definition of the elements and controls of IT alignment, and the maintenance and monitoring of risk action plans. COBIT proved useful in the definition of indices for risk management status analysis, measurement and monitoring.

Hospital in Japan January 2012	A hospital information system (HIS), based on the COBIT approach, was successfully completed and appropriate controls were implemented. COBIT provided a track from generic business goals to IT goals to IT processes. This resulted in a set of metric indicators with which to monitor and evaluate IT performance. The organization was able to define an IT strategy as well as improve its risk and value management.	COBIT was widely accepted guidance and enabled risk management to facilitate implementation of a total HIS. COBIT helped in the standardization of processes and unification of records. COBIT provided controls and principles to improve communication across the organization. COBIT created a sound risk management environment.

Erickson Retirement Communities June 2009	To achieve secure information management, resilient processes, risk management and adaptive processes using COBIT as the controls framework.	Bridges the gap among control requirements, technical issues and business risk. Is a tremendous asset to the IT Governance and Process Excellence Program.

Manufacturing/Transportation

	How Used?	Why COBIT?
Solo Cup January 2011	Solo Cup used COBIT effectively to develop a comprehensive set of IT policies. COBIT helped reduce the time needed to complete the initiative.	COBIT offers a proven and effective set of guidelines. COBIT content is the appropriate depth and breadth to ensure that major IT policy control areas meet control objectives.

Harley-Davidson, USA September 2006	COBIT helped meet the challenge of getting management, IT and audit speaking the same language and working toward increased control.	An internationally accepted standard for IT governance and control Benchmarked controls compliance Harmonized with leading guidance

Tembec, Canada May 2006	Implemented COBIT to increase governance, strategically align IT and the business and standardize processes	Improve vendor-neutral framework Developed by a world-class organization


What is CISA	What is CISM	What is CGEIT	What is CRISC
Benefits of CISA	Benefits of CISM	Benefits of CGEIT	Benefits of CRISC
How to Become Certified	How to Become Certified	How to Become Certified	How to Become Certified
Register for the Exam	Register for the Exam	Register for the Exam	Register for the Exam
Prepare for the Exam	Prepare for the Exam	Prepare for the Exam	Prepare for the Exam
Taking the Exam	Taking the Exam	Taking the Exam	Taking the Exam
Apply for Certification	Apply for Certification	Apply for Certification	Apply for Certification
Maintain Your CISA	Maintain Your CISM	Maintain Your CGEIT	Maintain Your CRISC


COBIT 5 Home
Product Family
Education and Training
News
Recognition
Join the Conversation
Looking for COBIT 4.1?