How COBIT 4.1 Changed from 4.0
COBIT 4.1, an incremental update to COBIT 4.0, includes:
- Enhanced executive overview
- Explanation of goals and metrics in the framework section
- Better definitions of the core concepts. It is important to mention that the definition of a control objective changed, shifting more toward a management practice statement.
- Improved control objectives resulting from updated control practices and Val IT development activity. Some control objectives were grouped and/or reworded to avoid overlaps and make the list of control objectives within a process more consistent. These changes resulted in the renumbering of the remaining control objectives. Some other control objectives were reworded to make them more action-oriented and consistent in wording. Specific revisions include:
- AI5.5 and AI5.6 were combined with AI5.4
- AI7.9, AI7.10 and AI7.11 were combined with AI7.8
- ME3 was revised to include compliance with contractual requirements in addition to legal and regulatory requirements
Application controls have been reworked to be more effective, based on work to support controls effectiveness assessment and reporting. This resulted in a list of six application controls replacing the 18 application controls in COBIT 4.0, with further detail provided in COBIT Control Practices, 2nd Edition.
The list of business goals and IT goals in appendix I was improved, based on new insights obtained during validation research executed by the University of Antwerp Management School (Belgium).
The pull-out has been expanded to provide a quick reference list of the COBIT processes, and the overview diagram depicting the domains has been revised to include reference to the process and application control elements of the COBIT framework.
Improvements identified by COBIT users (COBIT 4.0 and COBIT Online) have been reviewed and incorporated as appropriate.
Approach to Research and Development
Development of the COBIT framework content is supervised by the COBIT Steering Committee (CSC), formed by international representatives from industry, academia, government and the IT governance, assurance, control and security profession. International working groups have been established for the purpose of supporting specific development activities as well as providing quality assurance and expert review of the project's interim research and development deliverables. Overall project guidance is provided by the IT Governance Institute (ITGI) committee.
Previous COBIT Editions
Starting with the COBIT framework defined in the first edition, the application of international standards, guidelines and research into best practices led to the development of the control objectives. Audit guidelines were next developed to assess whether these control objectives are appropriately implemented. Research for the first and second editions included the collection and analysis of identified international sources and was carried out by teams in Europe (Free University of Amsterdam), the US (California Polytechnic University) and Australia (University of New South Wales). The researchers were charged with the compilation, review, assessment and appropriate incorporation of international technical standards, codes of conduct, quality standards, professional standards in auditing, and industry practices and requirements, as they relate to the framework and to individual control objectives. After collection and analysis, the researchers were challenged to examine each domain and process in depth and suggest new or modified control objectives applicable to that particular IT process. Consolidation of the results was performed by the COBIT Steering Committee.
The COBIT 3rd Edition project consisted of developing the management guidelines and updating COBIT 2nd Edition based on new and revised international references. Furthermore, the COBIT framework was revised and enhanced to support increased management control, introduce performance management and further develop IT governance. To provide management with an application of the framework so that it can assess and make choices for control implementation and improvements over its information and related technology, as well as measure performance, the management guidelines include maturity models, critical success factors, key goal indicators and key performance indicators related to the control objectives.
The management guidelines were developed by using a worldwide panel of 40 experts from academia, government and the IT governance, assurance, control and security profession. These experts participated in a residential workshop guided by professional facilitators and using development guidelines defined by the COBIT Steering Committee. The workshop was strongly supported by the Gartner Group and PricewaterhouseCoopers, who not only provided thought leadership but also sent several of their experts on control, performance management and information security. The results of the workshop were draft maturity models, critical success factors, key goal indicators and key performance indicators for each of COBIT's 34 high-level control objectives. Quality assurance of the initial deliverables was conducted by the COBIT Steering Committee and the results were posted for exposure on the ISACA web site. The management guidelines document offered a new management-oriented set of tools, while providing integration and consistency with the COBIT framework.
The update to the control objectives in COBIT 3rd Edition, based on new and revised international references, was conducted by members of ISACA chapters, under the guidance of COBIT Steering Committee members. The intention was not to perform a global analysis of all material or a redevelopment of the control objectives, but to provide an incremental update process. The results of the development of the management guidelines were then used to revise the COBIT framework, especially the considerations, goals and enabler statements of the high-level control objectives. COBIT 3rd Edition was published in July 2000.
In its effort to continuously evolve the COBIT body of knowledge, the COBIT Steering Committee initiated the COBIT 4.0 Project and research into several detailed aspects of COBIT. These focused research projects addressed components of the control objectives and the management guidelines. Some specific areas that were addressed are listed below:
Control Objectives Research
- COBIT-IT governance bottom-up alignment
- COBIT-IT governance top-down alignment
- COBIT and other detailed standards-Detailed mapping between COBIT and ITIL, CMM, COSO, PMBOK, ISF and ISO 17799 to enable harmonization with those standards in language, definitions and concepts
- Management Guidelines Research
- KGI-KPI causal relationships analysis
- Review of the quality of the KGIs/KPIs/CSFs-Based on the KPI/KGI causal relationship analysis, splitting CSFs into 'what you need from others' and 'what you need to do yourself'
- Detailed analysis of metrics concepts-Detailed development with metrics experts to enhance the metrics concepts, building up a cascade of 'process-IT-business' metrics and defining quality criteria for metrics
- Linking of business goals, IT goals and IT processes-Detailed research in eight different industries resulting in a more detailed insight into how COBIT processes support the achievement of specific IT goals and, by extension, business goals; results then generalized
- Review of maturity model contents-Ensured consistency and quality of maturity levels between and within processes, including better definitions of maturity model attributes
All of these projects were initiated and overseen by the COBIT Steering Committee, while day-to-day management and follow-up were executed by a smaller COBIT core team. The execution of most of the aforementioned research projects was based heavily on the expertise and volunteer team of ISACA members, COBIT users, expert advisors and academics. Local development groups were set up in Brussels (Belgium), London (England), Chicago (Illinois, USA), Canberra (Australian Capital Territory), Cape Town (South Africa), Washington (DC, USA) and Copenhagen (Denmark), in which five to 10 COBIT users gathered on average two to three times per year to work on specific research or review tasks assigned by the COBIT core team. In addition, some specific research projects weree's assigned to business schools such as the University of Antwerp Management School (UAMS) and the University of Hawaii.
The results of these research efforts, together with feedback provided by COBIT users over the years and issues noted from the development of new products such as the control practices, have been fed into the main COBIT project to update and improve the COBIT control objectives, management guidelines and framework. Two major development labs, each involving more than 40 IT governance, management and control experts (managers, consultants, academics and auditors) from around the world, were held to review and thoroughly update the control objectives and management guidelines content. Further smaller groups worked on refining or finalizing the significant output produced by these major events.
The final draft was subject to a full exposure review process with approximately 100 participants. The extensive comments received were analyzed in a final review workshop by the COBIT Steering Committee.
The results of these workshops were processed by the COBIT Steering Committee, the COBIT core team and ITGI to create COBIT 4.0 which was released in December 2005. The existence of COBI T Online® meant that the technology now exists to keep the core COBIT content up to date more easily and this resource is being used as the master repository of COBIT content. It will be maintained by feedback from the user base as well as periodic reviews of specific content areas. Periodic publications (paper and electronic) will be produced to support offline reference to COBIT content.
Development of COBIT 4.1 and Related Products
Following the release of COBIT 4.0 in December 2005, significant development effort has been focused on updating the other products in the COBIT family and aligning with COBIT 4.0. COBIT 4.0 was also updated to COBIT 4.1, to provide some fine-tuning and better explanations of some key 4.0 concepts, and to reflect the results of the detailed research that was carried out while developing the other products.
IT Governance Implementation Guide: Using COBIT and Val IT, 2nd Edition was produced based on the experiences of applying the first version over the past few years and now also including reference to Val IT; a complete update of the Control Practices was completed and a new IT Assurance Guide was created to replace the Audit Guidelines. Work on the Control Practices 2nd Edition and the new IT Assurance Guide was closely coupled because the objective was to provide much more detailed testing guidance than was previously available and to align the tests to the control objectives and control practices, rather than just at the IT process level that was the basis for the old Audit Guidelines.
This detailed work helped to level out the detail of the control objectives and arrive at a well balanced set of control practices.
Several detailed workshops were held to update and expand the control practices and the raw material for the testing part of the new IT Assurance Guide. A development database was created to provide access to the content to a wider range of reviewers. It was also recognized that the new IT Assurance Guide, while providing much greater detail to support audit and assurance professionals in performing their services, also required new guidance, particularly how best to leverage the COBI T components when undertaking assurance tasks. The development required several workshops and expert development meetings, as well as exposure to enable feedback from the assurance community. A new introduction, describing the provision of IT assurance services following the latest accepted assurance best practice while leveraging COBIT, resulted to ensure effective use of the testing content itself.
Following on from all these developments and improvements, opportunities for further clarification and streamlining of COBIT control objectives were also identified. These changes were applied to the COBIT volume alongside other changes resulting from feedback received by ISACA/ITGI on the COBIT 4.0 content, resulting in the finalized version of COBIT 4.1. Probably the most notable change was in the explanation and presentation of the ‘goals and metrics’ content, where user feedback provided guidance on how to improve the usefulness of this content. Other changes are listed at the start of Appendix V in the COBIT 4.1 volume.
Following work to ensure full alignment of all of these related volumes, all four volumes were published in May 2007.