For over 25 years, COBIT® has built on and integrated best practice frameworks that are used to develop and promote the process of understanding, designing and implementing enterprise governance of IT (EGIT).
COBIT has developed into a comprehensive and broad information and technology governance and management framework and continues to establish itself as a generally accepted framework for I&T governance. Throughout this framework, IT is used to refer to the enterprise function with the primary responsibility for technology. When used in this framework, I&T refers to all the information the enterprise generates, processes and uses to achieve its goals and supporting technologies.
But what is COBIT? And just as importantly, what is it not?
What is COBIT?
COBIT is a framework for the governance and management of information and technology in the enterprise sector, which includes all the technology and information processing the enterprise conducts to achieve its goals. Put simply, enterprise I&T is not limited to the IT department of an organization but certainly includes it.
COBIT makes a clear distinction between two disciplines (governance and management) as they encompass different activities, require different organizational structures and serve different purposes. For instance, governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives. Direction is set through prioritization and decision-making.
On the other hand, management plans, builds, runs and monitors activities that are in alignment with the direction set by the governance body to achieve enterprise-level objectives.
Three Things It is
- COBIT defines the components to build and sustain a governance system including processes, organization structures, principles, policies and procedures, information flows, culture and behaviors, skills and infrastructure.
- COBIT defines the design factors that should be considered by the enterprise to build a best-fit governance system.
- COBIT addresses governance issues by grouping relevant governance components into governance and management objectives that can be managed to the required capability levels.
Three Things It Isn’t
- COBIT is not a full description of the whole IT environment of an enterprise.
- COBIT is not a framework to organize business processes.
- COBIT is not an (IT-) technical framework to manage all technology.
Additionally, COBIT does not make or prescribe any IT-related decisions. It does not decide what the best IT strategy is, what the best architecture is, or how much IT can or should cost. Rather, COBIT defines all the components that describe which decisions should be taken, how and by whom they should be taken.
To learn more about what COBIT is and how to apply COBIT to I&T risk practices, download the COBIT Focus Area: Information and Technology Risk publication here: https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004Ku2gEAC.