Ethics in COBIT 5 

Download Article Article in Digital Form

Since COBIT 5 has recently been released, it is timely to look at the threads of information ethics in the fabric of this substantially improved and integrated framework. The approach selected for this review is not an exhaustive analysis of the microcontent of COBIT, but a reflection on three questions for consideration in linking ethics to the expanded reach of COBIT 5.1 A continuing discussion in the comments section of this article would be helpful to exchange ideas and “snowball” our efforts to improve our practices.

What Has Changed From COBIT 4.1?

COBIT 5 takes a nested approach. Stakeholder drivers influence stakeholder needs, which cascade to enterprise goals, which in turn cascade to IT-related goals, which ultimately cascade to enabler goals. Enablers include processes, organizational structures and information; for each enabler, a set of specific relevant goals can be defined in support of the IT-related goals.2

The leap from COBIT 4.1 to COBIT 5 is significant in many respects,3 including the recognition of ethics. A search for the word “ethics” shows that the term appeared twice in the former edition compared to 23 times in COBIT 5. This is impressive, especially knowing that the former is 213 pages long and the latter 94 pages. Several of these references surface in the citation of the enabler Culture, Ethics and Behavior. The breakdown of the references to “ethics” is: Table of contents (2), enabler description in the title of a Table/figure or in a list (5), glossary (2), and as a part of the discussion (14). A review of the context where the term was used in the discussion seems to suggest that a conscious effort was made to embed ethics into the overall design.

In COBIT 5, an enabler is defined as anything that can help achieve the objectives of the enterprise.4 Included among the seven categories of enablers is the category that combines Culture, Ethics and Behavior. The ultimate expression of ethics is in the choices we make; therefore, the inclusion of behavior in this category is meaningful. Likewise, culture is a key influencer of the organization’s climate of ethics; consequently, it is appropriate for ethics to be a part of the same family of enablers. However, although somewhat intuitive, it is unclear how these three elements as a unified enabler are related to one other.

COBIT 5 links the enabler Principles, Policies and Frameworks with the enabler Culture, Ethics and Behavior. This is because the former “should reflect the culture and ethical values of the enterprise and they should encourage the desired behavior.”5 As discussed previously in this column (volume 3, 2012), overarching pillars that help set the behavioral expectations include policies and other related elements such as principles, core values and frameworks that should be adopted by the organization. Clearly, the bond between these two enablers has to be strong to set an effective tone to deliver expectations of ethical behavior.

With a detailed description of the enabler Culture, Ethics and Behavior in appendix G, COBIT 5 provides additional insights on ethics. For example, the framework identifies two types of stakeholders—external (e.g., regulators) and internal—and notes personal values of individuals (e.g., employees) and the organizational values mirrored in the organization’s code of ethics. According to COBIT 5, stakes are twofold:  Some stakeholders (e.g., remuneration boards and officers) deal with defining, implementing and enforcing desired behaviors, and others have to align with the defined rules and norms. As to a goal related to ethics, the framework posits:

  • Organizational ethics, determined by the values by which the enterprise wants to live
  • Individual ethics, determined by the personal values of each individual in the enterprise6

While there is a notable effort here to spell out some of the finer points, as with all aspects of COBIT, it is almost always necessary to seek other sources for a serious effort to implement ethics. The context of the nature of the enterprise is referenced in the framework in chapter seven, Implementation Guidance. However, domain-relevant knowledge of ethics and related skills and processes need to be augmented. Understandably, no framework can be considered exhaustive in all aspects of implementation; further mapping of ethics implementation to COBIT should prove helpful to the COBIT user community.

How Can One Map Guidance to Implement Ethics?

The discussion of enabler 5, Culture, Ethics and Behavior, offers probably the most informative content in respect to the implementation of ethics in an organization.7 The practices noted in this enabler are communication, enforcement, incentives and rewards, awareness, rules and norms, and champions. Although not exhaustive, this list compares well with the other tool kits for ethics implementation.8 For example, the steps identified in the Omaha (Nebraska, USA) Business Ethics Alliance’s tool kit are compared in figure 1 with the specific references in COBIT 5. Many of the 10 steps can be inferred as elements within the interconnected enablers of COBIT 5.

Figure 1

A KPMG white paper, “The Road to a Model Ethics and Compliance Program: Ten Things We Learned on Our Journey,” posted on the ethics alliance site, is an insightful case study in ethics implementation.9

What Can Be Done to Enrich the Existing Knowledge Base?

The knowledge base represented by COBIT 5 is significant.10 Externally, the framework interfaces with myriad standards.11 But knowing this much is not enough; further efforts on how to leverage two or more frameworks and align them to produce synergy for an entity is required. In this area, the user community, by sharing experiences, can help generate a better understanding of inter- and intra-framework implementation challenges and potential synergies in doing so.

ISACA’s Business Model for Information SecurityTM (BMISTM ) provides an excellent supplement to COBIT 5. In reference to ethics, BMIS includes the following statement: “Compliance required at a personal level should be reflected in the Culture DI (dynamic interactions), such as when people are expected to make a personal commitment to a code of ethics or other document that mandates personal responsibility and adherence to rules.” BMIS refers to ethics just once.12 This model articulates six DIs: Governing, Culture, Architecture, Enabling and Support, Emergence, and Human Factors. Interconnected enablers in COBIT 5 and DIs in BMIS seem to overlap in places. For example, the Culture, Ethics and Behavior enabler of COBIT 5 is closely related to the Culture and Human Factor DI of BMIS.

Outside of the basic framework, a considerable amount of space and thought in COBIT 5 is devoted to demonstration by example. The document itself appropriately cautions against mere copying.

Two concrete suggestions are offered for future consideration. First, the term “information ethics” is now widely accepted.13 Computer and information ethics is a branch of ethics that emerged in the 1980s; it is devoted to the study of social and ethical impact of information and communication technology.14 It is clear that the term “ethics” encompasses almost everything one refers to in this area; as an all-inclusive term, a generic reference to ethics is appropriate in any framework that includes ethics. However, where specificity would make COBIT 5 more meaningful, it would help to discreetly use “information ethics” in place of “ethics.” While this profession’s interface with business has to do with almost everything that is in the larger nature of ethics, the profession itself is apparently closer to information ethics. Selective usage of “information ethics” will help people relate more effectively to ethical dilemmas closer to the profession.

Second, it would help to review the definition of the term “code of ethics” in COBIT to ensure consistency across the literature and practice of ethics. Specifically, three areas of the current definition warrant a revisit: (1) The use of “employees” is too limiting; ethics is for all stakeholders; (2) the phrase “in certain situations” is probably too prescriptive for a definition; (3) the phrase “those in the enterprise called upon to make decisions” would presumably include everyone. The cleaning crew landing on confidential data is no different from those who draft privacy policies.

The debate will continue. Feedback and improvement are part of the life cycle of any framework. For now, it is time to celebrate the arrival of a new, more inclusive and robust framework that promises to serve the profession and the user community well.


1 This is not a comprehensive evaluation of COBIT 5, and the questions relate only to ethics.
2 ISACA, COBIT 5, USA, 2012,, p. 18
3 For example, the bridging of governance and management accountabilities
4 Op cit, ISACA, p. 14
5 Op cit, ISACA, p. 68
6 Op cit, ISACA, p. 79
7 Op cit, ISACA, p. 79
8 See, for example, at Creighton University.
9 KPMG, “The Road to a Model Ethics and Compliance Program: Ten Things We Learned on Our Journey,”
10 Refer to COBIT 5, figure 10, p. 25, for an overview.
11 Figure 25 (p. 61) of COBIT 5 is an impressive testimony to this.
12 ISACA, The Business Model for Information Security (BMIS), USA, 2010, p. 49,
13 For a detailed discussion of the history and development of computer and information ethics, refer to
14 Heersmink, R.; J. van den Hoven; N.J. van Eck; J. van den Berg; “Bibliographic Mapping of Computer and Information Ethics,” Ethics in Information Technology, 2011, 13: 241–249

Vasant Raval, DBA, CISA, is a professor of accountancy at Creighton University (Omaha, Nebraska, USA). The coauthor of two books on information systems and security, his areas of teaching and research interests include information security and corporate governance. Opinions expressed in this column are his own, and not those of Creighton University. He can be reached at [email protected].

Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2012 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.