Home / Resources / ISACA Journal / Issues / 2025 / Volume 3 / Optimizing Crypto Custody Operations With COBIT

Optimizing Crypto Custody Operations With COBIT

Finger interacting with touchscreen
Author: Gokhan Polat, Co-founder of Noode
Date Published: 1 May 2025
Read Time: 8 minutes

A leading provider of crypto asset services strengthened its data governance framework to enhance customer experiences, drive innovation, and maintain a competitive edge. Through robust data governance practices, the company is advancing compliance with regulations, protecting sensitive information, and optimizing decision-making processes. This strategic focus is also improving data quality, operational efficiency, and stakeholder trust. As the company continues investing in cybersecurity, risk management, and IT governance, it seeks to further refine its approach to achieve a higher level of assurance and resilience in an evolving digital landscape.

Key Business Challenges

Crypto asset service providers (CASPs) operate in a dynamic and highly regulated environment where balancing compliance, security, and IT governance is essential for sustainable growth. One leading provider recognized the need to enhance its IT strategy to keep pace with evolving global and regional regulations such as the EU General Data Protection Regulation (GDPR)1 and Turkey’s Personal Data Protection Law, KVKK,2 while maintaining operational resilience and supporting business expansion. Strengthening cybersecurity, risk management, and IT governance practices was crucial to improving efficiency, ensuring compliance, and optimizing operational workflows. A more structured approach to aligning IT investments with long-term strategic goals would help the company navigate these complexities effectively.

A key focus area was improving the management of extensive data processing requirements driven by know your customer (KYC) and anti-money laundering (AML) activities. To ensure seamless identity verification, transaction monitoring, and fraud detection, the company needed to integrate both on-chain and off-chain data sources more efficiently.

Additionally, the company’s marketing and business development activities generated a wealth of customer insights, behavioral analytics, and engagement metrics. Establishing a standardized governance framework would enable better consistency in data security, privacy controls, and IT integration, leading to enhanced regulatory compliance and operational effectiveness. Enhancing IT governance maturity would ensure that technology decisions aligned with business objectives and market demands. Strengthening IT strategy would facilitate better prioritization, more effective technology adoption, and streamlined decision making. Managing a diverse and evolving portfolio of listed crypto assets required a well-structured portfolio governance model to support scalability and regulatory adherence. Optimizing IT sourcing strategies—balancing in-house capabilities with third-party providers—would also drive efficiency and operational excellence. Additionally, adopting a clear technology roadmap for AI-driven risk analytics, smart contract auditing, and blockchain security tools would enable the company to innovate securely and proactively.

To stay ahead in the rapidly evolving crypto custody space, the company sought ways to refine its risk assessment and mitigation strategies. Strengthening collaboration between IT, risk, and business teams would enhance agility and improve decision making. Implementing a structured IT performance monitoring system would provide better visibility into the effectiveness of technology-driven initiatives. By fostering a governance-driven approach to IT strategy, the company aimed to reinforce operational resilience, ensure compliance, and create an environment where innovation could thrive securely.

The Path to a Solution

The director of enterprise risk management recognized the pressing need for a structured governance framework that could align IT processes with business objectives while addressing regulatory compliance, risk management, and cybersecurity requirements. To achieve this, he decided to implement the COBIT framework, known for its comprehensive governance and management objectives that provide organizations with a clear roadmap for IT-business alignment.

To gain leadership buy-in, he organized a strategic meeting with the chief operations officer (COO) to outline the specific business needs COBIT could address:

  • Regulatory compliance
  • Operational resilience
  • Effective asset management
  • IT governance

During the meeting, the director demonstrated how COBIT’s structured governance model would help resolve challenges in these areas. He also responded to specific concerns from the COO, such as how COBIT would integrate with existing compliance requirements, optimize risk management strategies, and improve interdepartmental coordination.

The COO initially expressed skepticism about adopting a governance framework, citing concerns about implementation complexity and how a generic framework could help define the company’s specific challenges and strategic solutions. Having no prior knowledge of COBIT, he was unfamiliar with its capabilities in aligning IT with business objectives. However, as the session progressed, he recognized COBIT’s potential to unify and strengthen the company’s IT governance, cybersecurity, and regulatory compliance efforts. He also saw how COBIT’s structured approach could enhance risk identification, streamline processes, and ensure regulatory compliance. By the end of the session, he decided to escalate the discussion to the board level.

Following this, the COO convened a meeting with the board to present COBIT’s capabilities and potential to address both current and emerging challenges. During the meeting, the director of enterprise risk management addressed key concerns raised by business unit leaders. Ultimately, senior management approved the implementation of COBIT and requested a structured approach to integrate the framework. 

To facilitate implementation, the director of enterprise risk management was tasked with organizing a dedicated COBIT design session. This session included senior management representatives, the legal team, the marketing team, the business development team, and IT team leaders, who conducted a comprehensive analysis of the organization using COBIT’s 11 design factors:

  1. Enterprise Strategy—Aligning governance with business objectives
  2. Enterprise Goals—Defining IT contributions to organizational success
  3. Risk Profile—Assessing the company's risk appetite and exposure
  4. I&T-Related Issues—Identifying key IT challenges impacting the business
  5. Threat Landscape—Understanding cybersecurity threats and vulnerabilities
  6. Compliance Requirements—Ensuring adherence to relevant regulations
  7. Role of IT—Defining IT’s role as a strategic enabler
  8. Sourcing Model for IT—Evaluating internal vs. outsourced IT services
  9. IT Implementation Methods—Managing IT project execution approaches
  10. Technology Adoption Strategy—Integrating emerging technologies effectively
  11. Enterprise Size—Adapting governance strategies to organizational scale
By fostering a governance-driven approach to IT strategy, the company aimed to reinforce operational resilience, ensure compliance, and create an environment where innovation could thrive securely.

Through this structured assessment, the team identified critical areas for improvement and formulated a comprehensive action plan to align the company with COBIT principles. Recognizing the unique challenges of this emerging sector, the director of enterprise risk management introduced a new design factor—Crypto Asset Market Exposure—to enhance the precision of COBIT-based evaluations and ensure more effective governance and risk management within CASPs (figure 1).

Figure 1 Services Offered by the Digital Afterlife Industry

Following this, the organization reassessed IT project priorities and risk management strategies, leading to the development of a structured action plan to enhance its IT risk maturity level. This plan outlined specific steps, timelines, and assigned responsibilities to ensure effective implementation. Additionally, employees received comprehensive training on COBIT principles, emphasizing their roles and responsibilities in the governance framework.

COBIT’s Role and Advantages

As a leading CASP, the company faced significant challenges in data governance, cybersecurity, and risk management. To address these issues, the company implemented COBIT.

Crypto exchanges, leveraging advanced technologies such as blockchain, often present complex operational challenges. The lack of established frameworks specifically designed for this industry can make it difficult for organizations to effectively manage their IT systems and processes.

COBIT, a comprehensive IT governance framework, offers a valuable solution. Its robust architecture and ability to analyze an organization's business objectives and current technology management, combined with its goal cascade mechanism, provide a valuable framework for navigating the complexities of the web3 world inherited from the web2 business world.

COBIT provided a clear roadmap for the organization, helping it establish a centralized approach, strengthen IT governance, and enhance cybersecurity. By leveraging COBIT’s Align, Plan and Organize (APO) objective APO01—Managed I&T Management Framework and Evaluate, Direct and Monitor (EDM) objective EDM01—Ensured Governance Framework Setting and Maintenance, the company structured its governance mechanisms to align IT with business goals.

To enhance risk management and compliance, the company utilized APO12—Managed Risk and Monitor, Evaluate and Assess (MEA) objective MEA03—Managed Compliance with External Requirements, ensuring adherence to industry regulations such as MICA and FATF guidelines. Additionally, Deliver, Service and Support (DSS) objective DSS05—Managed Security Services played a crucial role in fortifying cybersecurity measures to protect digital assets and customer data.

Beyond risk and security, the organization optimized its portfolio of listed crypto assets through APO05—Managed Portfolio and improved asset integrity with BAI09—Managed Assets. The implementation of MEA01—Managed Performance and Conformance Monitoring allowed for continuous assessment and improvement of IT and business processes.

COBIT provided a clear roadmap for the organization, helping it establish a centralized approach, strengthen IT governance, and enhance cybersecurity.

By tailoring COBIT to its specific needs, the company achieved improved decision making, accountability, and regulatory compliance, while also enhancing operational efficiency and IT-business alignment.

The implementation process involved a thorough assessment, customization, training, and ongoing monitoring. The results were significant, including enhanced governance, reduced risk, stronger cybersecurity, and improved operational efficiency.

This success story demonstrates the value of COBIT for CASPs seeking to improve their overall performance and mitigate risk in today's complex regulatory environment.

Outcomes

While quantifying the exact benefits in terms of specific metrics is challenging, the implementation of COBIT clearly had a positive impact on the organization’s overall performance via:

  • Enhanced decision making—COBIT provided a data-driven approach to decision making, enabling the organization to make informed choices based on accurate information.
  • Improved collaboration—COBIT helped foster better collaboration between different business units by providing a common framework for IT governance.
  • Enhanced stakeholder communication—COBIT enabled the organization to communicate more effectively with stakeholders, including regulators, investors, and customers.
  • Increased organizational alignment—COBIT helped align IT with business objectives, ensuring that IT investments support the organization's strategic goals.
  • Improved risk management—COBIT provided a structured approach to risk management, helping the organization identify and mitigate potential threats.
  • Enhanced data governance—COBIT helped the organization establish a robust data governance framework, protecting sensitive customer data and ensuring compliance with regulations.

By providing a comprehensive framework for IT governance, COBIT enabled the organization to make more informed decisions, improve collaboration, and enhance its overall risk management posture.

Endnotes

1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation [GDPR])
2 Personal Data Protection Authority, Personal Data Protection Law, Turkey, 2016, 
3 European Securities and Markets Authority, Markets in Crypto-Assets Regulation (MiCA), European Union, June 2023, 
4 Financial Action Task Force
5 Commodity Futures Trading Commission, USA

GOKHAN POLAT, CISA, CRISC, CISM, CDPSE, CERTIFIED CRYPTOCURRENCY INVESTIGATOR, CIA, CISSP, CRMA, ITIL 4 LEADER: DIGITAL AND IT STRATEGY

Is an ISACA®-accredited COBIT® trainer and implementer, founder of Clovera.io, a consultancy firm specializing in digital trust, security, and compliance, and founder of DataBulls, a digital community focused on emerging technologies. With extensive experience in IT governance, risk management, and compliance, he has held key leadership roles at EY Türkiye, SabancıDx, and Paribu, driving cybersecurity, enterprise risk management, and digital transformation initiatives. As a COBIT Engage Leader and ISACA Emerging Technology Advisory Group member, he actively contributes to advancing COBIT practices and aligning them with evolving business risk.