Case Studies 


COBIT Case Studies by Industry

View COBIT 5 Case Studies >>
View COBIT Case Studies prior to 2005 >>


Enterprise Date

How Used?


Sun Microsystems/Oracle

January 2012

Sun/Oracle has found COBIT matrices and mapping documents very helpful when talking about how the various frameworks all fit together. The enterprise has successfully leveraged the concepts in the COBIT-related materials to create discussion of health and maturity self-assessments, provide a line of sight between its activities and its business goals, bring predictability and reliability to how the IT group plans and manages the work across the enterprise, and complement its corporate planning cycle with an “IT management cycle.”

  • COBIT provided a useful supporting toolset for the enterprise to govern and manage the IT contribution to the enterprise.
  • COBIT harmonized the enterprise’s many existing frameworks.
  • A COBIT champion ensured that the organization could get really serious about improving governance and management of enterprise IT.
  • A COBIT-inspired model helped all groups see how their work fit under an overall umbrella and how their work related to each other’s work.

Maitland Logo

July 2011

Maitland utilized COBIT to create a shared understanding of information and communication technology (ICT) and its purpose and impact on the enterprise and to increase business oversight and accountability for ICT.

  • Is a globally recognized framework.
  • Provides universally applicable governance principle
  • Increases business oversight

Dongbu Logo
Dongbu HiTek

January 2009

The company used COBIT to standardize its business processes based on global standards, comply with K-SOX and ISO 27001, and implement IT governance for Real Time Enterprise (RTE).

  • It provides global best practices for IT business processes.
  • It is complementary with major international standards, ITIL, the ISO 27000 series and PMBOK.
  • It provides a common language.

Jefferson Wells Logo
Jefferson Wells, USA

November 2007

Jefferson Wells used COBIT to assess existing controls and make recommendations on new controls for a client. For the IT controls, there is an assessment form that maps COSO to COBIT, and results are recorded directly into a database.

  • COBIT helped break down (COSO-related) information into understandable requirements.
  • Comprehensive guidance helped the client’s organization build the high-priority controls it needs.

The Manta Group, Canada

December 2006

COBIT helped clients improve their processes and achieve alignment with business goals through relevant and practical controls and metrics.

  • Is the only internationally accepted framework to provide a complete model for governing and attaining value from investments in IT
  • Educated IT and business management regarding the value of IT governance

Sun Microsystems Logo
Sun Microsystems, USA

June 2005

In light of Sarbanes-Oxley and other legislation, Sun’s IT department sought a common framework to view and measure IT’s alignment and contribution to the overall business strategy.

  • Supported IT control activities in a resource-constrained environment.
  • Enabled a common language to be used across processes

Unisys logo
Unisys Corporation, USA

September 2005

COBIT helped Unisys standardize IT strategy to support global operations, align the IT infrastructure with the company’s overall business strategy and help with Sarbanes-Oxley compliance.

  • Is an external standard against which to be measured
  • Provided a comprehensive view of the IT enterprise and a good approach to problem-solving


Enterprise Date

How Used?


Blackboard Inc.

April 2007

COBIT is a powerful way to navigate change and improve IT governance.

  • Helps IT leaders assess current operations and incorporate them into due diligence activities
  • Creates strong relationships with external auditors


Enterprise Date

How Used?


Adnoc Logo
Adnoc Distributions

December 2008


Adnoc then implemented the three most important and relevant COBIT processes, according to the current budget and resources availability. The three processes selected focused on change management, business continuity and service level management.
Currently, Adnoc uses COBIT in combination with other best practices, including portions of ITIL, as well as ISO 27001 and PMBOK standards.
Additional COBIT processes, including one related to data management, have been identified for the next phase of implementation.

  • Adnoc felt that no other standard offered a complete framework to address all the elements of a process, including measurements, key performance indicators (KPIs) and key goal indicators (KGIs)
  • Found to be more general and business-oriented than other standards/frameworks
  • Encompasses most of the elements of an IT environment, while most other standards/frameworks focus on one respective area

Ecopetrol SA

June 2010

The Information Technology Division chose COBIT as the proper IT governance framework to integrate an IT management system. Ecopetrol chose to implement 28 COBIT processes, giving priority to the control objectives that support Sarbanes-Oxley compliance.

  • It enables mapping of IT goals to business goals.
  • It results in better alignment, based on a business focus.
  • It provides a view of what IT does that is understandable to management.
  • It indicates clear ownership and responsibilities based on process orientation.
  • It is generally accepted by third parties and regulators.

Financial Services/Insurance

Enterprise Date

How Used?



April 2013

This bank chose COBIT 4.1 to address a great deal of challenges it was facing with day-to-day IT service delivery. The project was bundled with a security assessment exercise. The project kicked off with an assessment, which was documented using the COBIT 4.1 Implementation Tool Kit. Following the determination of business and IT goals, the core of the gap assessment exercise commenced. The focus was on the 34 processes, not on the 210 controls. Several interviews and process review sessions then followed from Plan and Organize (PO) all the way to Monitor and Evaluate (ME), although not necessarily in order as sessions were based on available resources.

  • COBIT 4.1 provided the most rounded approach to achieving the desired outcomes.

TT Hellenic Postbank
TT Hellenic Postbank

October 2012

TT Hellenic Postbank’s IT audit function uses COBIT 4.1 to define the audit universe on which IT audits are performed, to create tactical and strategic risk-based audit plans and to conduct audit engagements.

  • COBIT is a widely accepted international IT governance framework.
  • COBIT 4.1’s maturity model and detailed control objectives allow for a clearer understanding of the current level of effectiveness and control over IT processes.
  • COBIT helped to easily customized the solution for the needs of each organization and mapped with other commonly accepted assurance frameworks.

Scotiabank (BNS), Costa Rica

July 2012

In 2009, COBIT 4.0 implementation became mandatory for financial entities in Costa Rica. Since then,COBIT 4.0 has been used as the overall guidance framework to achieve a third level of maturity for each identified COBIT process. BNS Costa Rica met compliance with this regulation by creating a route plan to achieve control objectives: implementing good IT governance practices and controls; executing independent external audits, led by CISA-certified professionals; and providing COBIT and IT governance training to strengthen the knowledge of personnel participating in the implementation process.

  • COBIT helped to achieve a stronger alignment among business and IT strategies.
  • COBIT helped in the creation of processes with internationally accepted, auditable and measurable structures that integrate the best practices in the banking industry.
  • COBIT assisted the organization with key controls identification to ensure internal IT control.
  • COBIT proved useful in the creation of reliable processes to strengthen the application of practices related to the five elements of control that constitute good IT governance.

National Stock Exchange
National Stock Exchange (NSE) of India Limited

January 2012

NSE’s risk management framework was developed based on Risk IT, a component of COBIT. Due to the criticality of NSE’s business operations—and the frequent changes in its IT infrastructure—the decision was made to focus on risk management as an integral element of its day-to-day business processes. NSE concluded that changes in risk need to be tracked on an ongoing basis and defined a monitoring process for continuous updating of changes in the risk profile.

  • Risk IT provided control objectives to identify control gaps and to assess the impact of controls on the risk profile.
  • Risk IT helped NSE build a uniform structure and view of IT risk across the organization.
  • Risk IT provided a granular guidance on risk management processes.
  • Risk IT helped to link IT risk with business objectives.

Grupo Bancolombia
Grupo Bancolombia

January 2011

Grupo Bancolombia used COBIT to create a shared vision, unique language, alignment between business strategic planning and IT strategic planning, and clarity in roles and responsibilities.

  • Is used worldwide by auditors to verify adherence to and compliance with IT internal controls
  • Helps to ensure compliance with the US Sarbanes-Oxley Act and other global legislation
  • Provides a proactive approach to improving technology processes and services

Banco Supervielle S.A
Banco Supervielle S.A.

November 2010

Banco Supervielle S.A. used COBIT to create an IT governance framework that enabled the bank to provide training and awareness of internal controls and best practices; to redefine roles, responsibilities and IT internal processes; to implement a control dashboard; and to initiate risk administration.

  • Recommended by the local ISACA chapter
  • Most closely matched the bank’s needs
  • Facilitated the bank in measuring its current maturity level, its desired maturity level and estimated time to achieve it

A global bank

July 2010

A global bank used COBIT successfully to provide a common language for multiple technology and business teams, streamline the company’s list of controls, and manage risk and control process for Sarbanes-Oxley and other regulations.

  • COBIT provided a common governance and assurance process across technology teams.
  • COBIT helped in developing and managing a single list of controls for each type of risk.
  • COBIT provided confidence to senior executives on the reporting and attestation process.

Blue Cross and Blue Shield of North Carolina
IBM Business Consulting

October 2009

When developing a program that addressed Sarbanes-Oxley, the team realized that they needed the COBIT control framework because it allows them to “own” their IT controls.

  • COBIT is the only IT management and control framework that covers the end-to-end IT life cycle.
  • COBIT maps 100% to COSO.

Central Bank of the Republic of Armenia
Central Bank of the Republic of Armenia

February 2009

The IT audit division uses COBIT when performing audits, and risk assessments are conducted according to COBIT processes.

  • The board selected COBIT after conducting global research and finding that COBIT was well known and internationally respected.

ICW Group

January 2009

ICW Group’s CIO presented the Val IT tool set from ISACA to senior management as the most effective way to both mature the organization and deliver high-quality solutions.

  • Val IT is helping the organization achieve ambitious goals by enabling it to make smart decisions that deliver the best business value.
  • Val IT’s proven practices provide practical guidance that helps it reduce costs and increase control.


October 2008

Pension–Fennia used COSO ERM and COBIT to maximize its effectiveness and optimize the maturity of its controls. By using this combined approach, the organization was able to clarify the mutual goals and responsibilities of its business units and IT.

  • To use COBIT’s maturity approach as a complement to COSO ERM
  • To deepen the synergy and mutual understanding between business units and IT, and between IT and its service providers.

Kuwait Turkish Bank Logo
Kuwait Turk Participation Bank

April 2007

Kuwait Turk initially implanted COBIT to comply with requirements set by the Banking Regulation and Supervision Agency of Turkey (BRSA), but soon realized that the use of COBIT provided many additional benefits, including more controlled and integrated IT processes.

  • Came highly recommended
  • Internationally accepted and easily maps to other leading standards

Canadian Tire Financial Services, Ltd.

February 2007

COBIT helped communicate to IT and management why they needed to care about effective controls and provide a framework for implementation.

  • COBIT was selected as the framework with which to comply because its control objectives are internationally recognized and considered to be effective at controlling IT-related processes

Prudential, Asia

September 2006

The adoption of COBIT was supported by Prudential’s CEO and board members. COBIT has helped Prudential’s Asia IT team achieve enhanced communication between IT and business operations and responsiveness in project management.

  • Helped provide a uniformed platform to sustain growth and eliminate risks


Enterprise Date

How Used?


U.S. Department of Veterans Affairs

June 2009

A new organizational structure for centralized IT management was based on industry best practices including COBIT and Val IT, both of which provide a framework for IT governance plans, structures and investments.

  • Bridges the gaps among control requirements, technical issues and business risks.
  • Enables clear policy development and best practices
  • Emphasizes regulatory compliance

Government of Dubai
Government of Dubai

April 2009

The Financial Audit Department (FAD), the supreme audit institution of Dubai, recognized the need to promote, formalize and improve IT governance practices within Dubai as the extensive usage of IT is widely accepted as an essential component in providing services to citizens, residents and business entities.

  • Team members of the IS audit section of FAD are mostly members of ISACA who hold the CISA, CISM or CGEIT designation. COBIT had already been adopted as the resource serving as the overall framework for IS audit methodology since 2000.
  • The team decided to promote the best practices of COBIT resources among its audit community. COBIT provides control objectives, control practice statements and other resources supporting assurance processes as a global reference framework and benchmark.

European Parliament

January 2009

The European Parliament used the Val IT framework to implement a multi-annual IT plan, prioritising IT investments and business-as-usual work requests following solid, transparent, objective and widely accepted criteria, which are in line both with the IT strategy and with Parliament’s general long-term goals.

  • The European Parliament identified the right projects to implement, and has a way of following up on the benefits generated by these projects.
  • Transparency allows EP to create consensus between business users and technical people that EP is doing the right thing, at the right time, within the constraints of the means available.

Ontario Pension Board Logo
Ontario Pension Board

September 2007

OPB uses COBIT for continual improvement of IT value and control. The self-evaluation process enabled development of a service catalogue and better alignment with OPB’s outsource service provider.

  • Provide better and more personalized service
  • A comprehensive framework for IT governance that helps close gaps, optimize IT investments, ensure effective service delivery and provide measures

Region of Peel Logo
Region of Peel

August 2007

Due to the financial significance of IT investment, length of time since the last review and the rate of change in IT, the Region’s CIO and director of Internal Audit agreed that an assessment be conducted using COBIT.

  • Represents consensus of global experts
  • Strongly focused on control, and less on execution
  • Peel Region’s experience with COBIT exceeded expectations

Bahrain Civil Service Bureau

February 2007

After analysing existing internal controls using the COBIT framework, a maturity model matrix was prepared and COBIT controls were applied to eliminate weak points.

  • COBIT is the most comprehensive, globally respected framework.
  • It can be customised for each organization.
  • It is an effective framework for implementing and improving IT governance.


Enterprise Date

How Used?



January 2014

Like most innovation-led organisations, GlaxoSmithKline (GSK) is highly dependent on IT. Its large, centralised IT support group has used COBIT 4.1 as the basis for developing an organisational IT governance framework. GSK is beginning its transition to COBIT 5.

  • One of GSK’s strategic priorities is to simplify its operating model by reducing complexity and thereby becoming more efficient. This will free up resources to invest in other, more productive, areas of the business. One of the outcomes of this strategy is a more centralised IT organisation, offering standard IT support services to all business areas.

Sunnybrook Health Sciences Centre

April 2013

Whether at the management or board level, IT governance is fundamentally concerned with two primary outcomes: IT value delivery and the mitigation of IT-related risk. These are enabled by ensuring the strategic alignment of IT services with Sunnybrook’s business goals, the availability and management of appropriate IT resources, and the measurement and management of IT process performance. The resulting IT governance program is focused on the application of five governance areas that are common to all enterprise governance frameworks and are applied to Sunnybrook’s IT management.

  • Need for increased focus on technical and process risk management within the IT management team following several years of increasing operations, project incidents and disruptions
  • COBIT 4.1, Risk IT and Val IT combine to provide an overall IT governance program that is fully complementary with existing best practices for IT service delivery and provides both managerial and board-level visibility and control over the performance of Sunnybrook’s IT strategic programs.

NHS Fife
NHS Fife (National Health Service), UK

October 2012

NHS Fife began working with COBIT in 2007, led by the need to ensure that its e-health services were aligned with NHS’s national and local strategies, along with internal pressures to improve security, audit outcomes and compliance with recognized standards. NHS Fife supported the implementation of COBIT with the Meycor COBIT Suite, which was particularly helpful for establishing a baseline, developing improvement plans, selecting metrics and tracking the improvement cycles designed for each targeted process.

  • COBIT provided a vision for a continual improvement process.
  • COBIT established a continual improvement model that was sustainable and demonstrated results.
  • COBIT assisted the organization to establish a mature process and align IT with the organization’s strategy.
  • COBIT proved useful in reducing risk and improving security.
  • COBIT helped in improving internal and external audit outcomes.

Hospital in Japan 

April 2012

After the successful implementation of a hospital information system (HIS), based on the COBIT approach. The organization continued to utilize COBIT as the overall guidance to distinguish clinical and IT risk management subjects/objectives; define appropriate system requirements, new business processes and performance indices; and establish appropriate new business and IT management/control processes.

  • COBIT helped to establish appropriate, well-organized, effective and efficient IT-related risk management.
  • COBIT assisted the organization with risk management resources to implement processes and improve the lines of communication.
  • COBIT helped in the definition of the elements and controls of IT alignment, and the maintenance and monitoring of risk action plans.
  • COBIT proved useful in the definition of indices for risk management status analysis, measurement and monitoring.

Hospital in Japan

January 2012

A hospital information system (HIS), based on the COBIT approach, was successfully completed and appropriate controls were implemented. COBIT provided a track from generic business goals to IT goals to IT processes. This resulted in a set of metric indicators with which to monitor and evaluate IT performance. The organization was able to define an IT strategy as well as improve its risk and value management.

  • COBIT was widely accepted guidance and enabled risk management to facilitate implementation of a total HIS.
  • COBIT helped in the standardization of processes and unification of records.
  • COBIT provided controls and principles to improve communication across the organization.
  • COBIT created a sound risk management environment.

Erickson Logo
Erickson Retirement Communities

June 2009

To achieve secure information management, resilient processes, risk management and adaptive processes using COBIT as the controls framework.

  • Bridges the gap among control requirements, technical issues and business risk.
  • Is a tremendous asset to the IT Governance and Process Excellence Program.


Enterprise Date

How Used?


Solo Cup Logo
Solo Cup

January 2011

Solo Cup used COBIT effectively to develop a comprehensive set of IT policies. COBIT helped reduce the time needed to complete the initiative.

  • COBIT offers a proven and effective set of guidelines.
  • COBIT content is the appropriate depth and breadth to ensure that major IT policy control areas meet control objectives.

Harley-Davidson, USA

September 2006

COBIT helped meet the challenge of getting management, IT and audit speaking the same language and working toward increased control.

  • An internationally accepted standard for IT governance and control
  • Benchmarked controls compliance
  • Harmonized with leading guidance

Tembec, Canada

May 2006

Implemented COBIT to increase governance, strategically align IT and the business and standardize processes.

  • Improve vendor-neutral framework
  • Developed by a world-class organization