Author: Kumaragunta Harisaiprasad, CISA, APP, ISO 22301 LI, ISO 27001 LA, ISO 9001 LA, Six Sigma Green Belt
Date Published: 27 April 2020
COBIT® is a broad and comprehensive framework that has been developed to support understanding, designing and implementing the management and governance of enterprise IT (EGIT). COBIT defines the components and design factors to build and sustain a best-fit governance system. COBIT was first released in 1996; the latest version, COBIT 2019, was released in 2018. COBIT 5 was published in 2012, and to include new technology and business trends in information and technology (I&T) such as digitization, COBIT 5 was updated to COBIT 2019. New insights from experts in IT and governance were included in the new version. For a smoother transition to COBIT 2019, it is necessary to know the major differences between COBIT 5 and COBIT 2019.”
Principles and Objectives
There are 6 governance system principles in COBIT 2019, as compared to 5 in COBIT 5 (figure 1). Governance principles exist to ensure that stakeholder needs are evaluated and agreed on based on enterprise objectives, to set direction through prioritization and decision-making, and to monitor performance and compliance against the set direction and objectives.
Figure 1—Governance Principles in COBIT 2019 and COBIT 5
Source: ISACA®, COBIT® 2019 Framework: Introduction and Methodology, figure 3.5, USA, 2018, and COBIT® 5 figure 2, USA, 2012.
Along with including an additional governance principle, COBIT 2019 revises some of the terminologies used in defining the principles, which is provided in the following section.
The governance and management objectives are similar in both versions (figure 2).
Figure 2—Governance and Management Objectives in COBIT 5 and COBIT 2019
Source: ISACA, COBIT 2019, USA, 2018, and COBIT 5, USA, 2012.
Processes
More changes can be noted in the processes that support the governance and management objectives. The number of processes is increased, from 37 in COBIT 5 to 40 in COBIT 2019. The terminology is also changed slightly, from use of the verb “manage” in COBIT 5 to the adjective “managed” in COBIT 2019.
Specific examples include:
- In Align, Plan and Organize (APO), 1 process is added (APO14 Managed Data) and the terminology in APO10 is changed from “supplier” to “vendor.”
- In Build, Acquire and Implement (BAI), one process is added (BAI11 Managed Projects). In addition, in COBIT 2019, BAI06 and BAI07 specify that the changes being managed, accepted and transitioned are IT changes.
- In Monitor, Evaluate and Assess (MEA), one process is added (MEA04 Managed Assurance) and the terminology in the other 3 MEA processes is changed to emphasize the use of “managed” instead of “Monitor, Evaluate and Assess.”
Framework Principles
Governance framework principles (figure 3) are added to COBIT 2019. The conceptual model referred to in the first principle identifies key components and relationships among the components to maximize consistency and allow automation. Openness and flexibility cited in the second principle implies allowing the addition of new content and the ability to address new issues in a flexible way, thereby allowing integrity and consistency. The third principle points out that the model should be aligned to major standards, frameworks and regulations.
Figure 3—COBIT 2019 Governance Framework Principles
Source: ISACA, COBIT® 2019 Implementation Guide, figure 2.2, USA, 2018.
Performance Management and Design Factors
Performance management in COBIT 2019 is based on the CMMI Performance Management Scheme, in which the capability and maturity levels are measured between 0 and 5, whereas the scale used in COBIT 5 is based on International Organization for Standardization(ISO)/International Electrotechnical Commission (IEC) ISO/IEC 33000 Software Process Improvement and Capability Determination—SPICE. The description of the capability and maturity levels in each COBIT version are shown in figure4.
Figure 4—Capability Levels of COBIT 2019 and COBIT 5
Source: ISACA, COBIT 5 figure 19, USA, 2012, and COBIT 2019 Framework: Governance and Management Objectives, figure 3.5, USA, 2018.
Enablers have been removed from COBIT 2019 for simplification.
Design factors, which are introduced in COBIT 2019, are the factors that influence the design of the enterprise governance system (figure 5.)
Figure 5—COBIT 2019 Design Factors
Source: ISACA, COBIT® 2019 Design Guide: Designing an Information and Technology Governance Solution, figure 2.4, USA, 2018.
Governance System Design Workflow
To facilitate application, a governance system design workflow (figure 6) is adopted. This workflow is fully explained in ISACA’s COBIT® 2019 Design Guide and Toolkit: Designing an Information and Technology Governance Solution.The tool kit can be used to change the values to fit the organization’s context.
Figure 6—Governance System Design Workflow
Source: ISACA, COBIT 2019 Framework: Introduction and Methodology, figure 7.2, USA, 2018.
The tool kit provides a chart for weighting the 40 processes by providing each a governance and management objectives score, which is categorized into initial, refined and concluded scopes. The initial scope score is based on the weight of the processes’ design factors (figure 5): enterprise strategy, enterprise goals, risk profiles, and information and technology (I&T)-related issues. The refined scope is based on the weight of these design factors: threat landscape, compliance requirements, role of IT, sourcing model for IT, IT implementation methods and technology adoption strategy. The concluded scope is based on resolving conflicts and completing the governance system design. The weight of the design factors is based on the relative importance of the governance/management objectives.
This relative importance of the governance and management objectives is indicated by a value that indicates the influence of a certain design factor on the importance of a certain COBIT governance or management objective, as compared to a baseline (standard) situation. The value is calculated as a percentage difference between the baseline and the current situation, as determined by the values given to the design factor at hand.
For all design factors except risk profile, the weight is based on importance; for risk profile, it is based on risk rating.
Figure 7 summarizes the differences between COBIT 5 and COBIT 2019.
Figure 7—Key Differences Between COBIT 5 and COBIT 2019
COBIT 5 | COBIT 2019 |
Five governance principles | Six governance principles |
37 processes | 40 processes |
“Manage” terminology is used for management processes | “Managed” terminology is used for management processes |
Governance framework principles are absent | Governance framework principles area added |
Measuring performance uses 0-5 scale based on ISO/IEC 33000 | CMMI performance management scheme used |
Enablers are included | Enablers are renamed as components |
Design factors are not available | Design factors are included |
Conclusion
COBIT 2019 has 6 governing principles instead of 5. The number of processes supporting the governance and management objectives is increased from 37 to 40, with some changes in terminology. Governance principles are added, and performance management is based on the CMMI performance management scheme instead of ISO/IEC 33000. Finally, 11 design factors that influence the design of the enterprise governance system are introduced and enablers are removed. An enterprise governance system can be designed using ISACA’s tool kit by inserting appropriate values in the respective fields. COBIT 2019 includes new technology and business trends in I&T. It can integrate with other international standards, guidelines, regulations and best practices unique to your organization and provide an effective EGIT framework.
Kumaragunta Harisaiprasad, CISA, APP, ISO 22301 LI, ISO 27001 LA, ISO 9001 LA, Six Sigma Green Belt
Is an associate consultant with Mahindra SSG in India. He has 12 years of experience in the industry. He is currently the ISACA New Delhi (India) Chapter leader and social media chair. He is also a topic leader for the ISACA Certified Information Systems Auditor® (CISA®) online forum. He is a frequent contributor to blogs and has published articles related to the information security domain in the ISACA Now blog and the ISACA® Journal. He conducts user awareness training, internal auditor training, International Organization for Standardization (ISO) 27001 audits, regulatory audits, third-party audits, internal audits, IT audits, risk assessment and implements ISO 27001, among other tasks. He can be contacted at harisaiprasad@gmail.com.