Introducing the COBIT 2019 framework
ISACA created COBIT (Control Objectives for Information and Related Technologies) to give IT leaders the means to ascertain risk while focusing on business objectives. COBIT is predicated on three enduring notions:
- Separating governance from management
- Leveraging risk to create value
- Maintaining an organization-wide approach
It consists of processes (controls) characterized by inputs, outputs, key activities, objectives, and performance measures. These processes are allocated to five objectives (see table below)
Table 1. COBIT Focus Areas
These five focus areas are unchanged in COBIT 2019; however, three of them have been allocated one extra process.
The main difference between COBIT 5 and COBIT 2019
“Managed Data” has been added to APO, “Managed Projects” has been added to BAI, and “Managed Assurance” has been added to MEA. This raises the process count from 37 (COBIT 5) to 40 (COBIT 2019).
Now COBIT 2019 processes are assessed according to the five maturity levels stipulated by the Capability Maturity Model Integration Institute (a subsidiary of ISACA) rather than the 0-5 scale outlined in is ISO 33000.
The enablers, explicitly outlined in COBIT 5, have been replaced by design factors in COBIT 2019, which represent fundamental building blocks critical for the success of an IT organization. They stipulate an understanding of eleven elements that can be loosely grouped as follows:
- Enterprise Strategy, Enterprise Goals, Enterprise Size
- Compliance Requirements, Threat Landscape, Enterprise Risk Profile
- Role of IT, Sourcing Model for IT, IT Implementation Methods
- Technology Adoption Strategy, I&T-Related Issues
These elements suggest a rapprochement with the business and a more nimble operational approach.
Compatibility of COBIT 2019 with Info-Tech’s Management & Governance Framework
The Info-Tech M&G Framework takes a domain view of COBIT. Nine color-coded domains are mapped across the five COBIT objectives and one more objective has been added by Info-Tech Research Group (ITRG) to account for processes that do not really have a place in COBIT 5 but were deemed essential to optimally operate IT.
The strength of the mapping is represented by three saturation levels for each hue:
- Light saturation if an ITRG process, within a domain, maps to only one objective
- Mid saturation if an ITRG domain maps to two objectives
- Deep saturation if an ITRG domain maps to three or more objectives
The 45 processes outlined in the ITRG M&G map to the 37 processes in COBIT 5 along with an extra eight processes added by ITRG. The three new processes outlined in COBIT 2019 – BA11 Managed Projects, APO14 Managed Data, and MEA04 Managed Assurance – are not currently explicitly mapped in the ITRG M&G. However, ITRG process “Project Management” includes best practices research on program management as well as project management, which covers BA11 Managed Projects. The process “Data Quality,” currently under the ITRG objective number 08, encompasses data management and therefore would include a mapping to APO14 Managed Data. Finally, MEA 04 Managed Assurance could easily fit under ITRG 03 “Manage Service Catalogs,” which outlines practical approaches for setting service level agreements.
It is therefore reasonable to have the 45 ITRG processes, outlined in the M&G, map to the 40 objectives outlined in COBIT 2019 along with the eight ITRG objectives that were originally added to fill in the gaps.
The ITRG M&G has focused on business alignment, risk management, and Agile development right at inception, suggesting the creation of COBIT 2019 is not straining compatibility but rather closing process and concept gaps left by COBIT 5.
Instead of having 45 ITRG processes map to 37 COBIT 5 objectives and an additional eight ITRG objectives, the 45 ITRG processes now map to 40 COBIT 2019 objectives and maintain their connection to the eight ITRG objectives. Given the detail in each ITRG process, having some ITRG processes map to multiple objectives is acceptable and indeed an artifact of the original mapping – Business Process Controls and Internal Audit as well Stakeholder Relations map to two COBIT objectives (be it COBIT 5 or COBIT 2019).
- The six M&G processes under Strategy & Governancewould map to seven COBIT 2019 objectives.
- The four M&G processes underFinancial Managementwould map to four COBIT 2019 objectives.
- The four M&G processes underPeople & Resourceswould map to two COBIT 2019 objectives and two ITRG objectives.
- The four M&G processes underService Planning & Architecturewould map to four COBIT 2019 objectives and one ITRG objective.
- The eight M&G processes underInfrastructure & Operationswould map to eight COBIT 2019 objectives.
- The seven M&G processes underSecurity and Riskwould map to eight COBIT 2019 objectives.
- The five M&G processes underApplicationswould map to two COBIT 2019 objectives and two ITRG objectives.
- The three M&G processes underData and Business Intelligencewould map to one COBIT 2019 objectives and three ITRG objectives.
- The four M&G objectives underPPM & Projectswould map to five COBIT 2019 objectives.
How to best use the ITRG Management & Governance Framework
Start with the M&G Diagnostic (MGD). The MGD allows members of the IT organization to rate the maturity of all 45 processes on a scale of 1 to 10, along with how important these processes are to the strategic imperatives of the organization (also on a scale of 1 to 10). The difference between the maturity and importance rating creates a criticality index that rallies the IT organization around strategic areas of focus.
Such a pointed approach is a more practical alternative to working with a CMMI rating because it optimizes the use of resources. This approach also promotes business alignment because process improvements expected to have the most impact on the organization are undertaken first.