What is COBIT?

COBIT was born with the mission of researching, developing, publishing and promoting a set of information technology control objectives, guidelines, updated, international and accepted to be used daily by business managers and auditors.

Its mission is to consolidate itself as a globally recognized leader in governance, control and assurance of IT management.

In 1992 the updating of ISACA's control objectives began, and in 1996, ISACA provided IT professionals with a framework of generally applicable and accepted IT control practices.

The evolution of COBIT:

• COBIT1 (1996): Audit
• COBIT2 (1998): Control
• COBIT3 (2000): Management
• COBIT4 (2005/2007): IT Governance
• Val IT 2.0
•  Risk IT
• COBIT5 (2012): Governance of Enterprise IT

In response to current needs, COBIT has evolved from an audit tool to an ICT governance framework, with the publication of COBIT 4 in 2005 and COBIT 5 in 2012.

COBIT 4

Starting from the premise that IT needs to deliver the information the organization needs to achieve its objectives, COBIT promotes the process approach and process ownership/responsibility. It divides IT into 34 processes, which are included in 4 domains, which provide high-level control objectives.

COBIT helps meet the fiduciary, quality and security needs of organizations by providing seven information criteria that can be used to generically define what the business requires from IT.

Finally, to meet its objectives, it relies on a set of more than 300 detailed control objectives. 

For this, IT has a set of resources, classified into:

• Applications: understood as the sum of the functions of manual and programmed procedures that process information.
• Information: data in all its forms (inputs, processed, outputs of information systems) that are used by the business.
• Infrastructure: technology and environment (hardware, operating systems, databases, networks, multimedia, etc.) that enable the operation of applications.
• People: skills, knowledge and productivity of staff, both for internal and contracted personnel.

Finally, it is necessary to standardize IT activity through processes proposed by COBIT, grouped into the following domains:

• Plan and organize (PO).
• Acquire and implement (AI).
• Deliver and support (ES).
• Evaluate and monitor (M).

COBIT 4 is structured in 4 domains, these include the 34 processes necessary to govern IT, and for each process the activities or detailed tasks that allow to fulfill the objectives and purpose of each process are described.

Process orientation

Each process, in the field of IT, must be formally defined, indicating and describing the main activities and sub-activities, the necessary input information and the expected result of the process.

For a correct control of each process, the following elements must be defined:

• Responsible for the process: who is responsible for the process to management.
• Process goals: these are the defined KGIs.
• Control objectives and key performance indicators: these are the KPIs defined for each process.

Planning and organization (PO)

This domain encompasses strategy and tactics and is linked to identifying how information technology can most appropriately contribute to the achievement of business objectives. In addition, the realization of the strategic vision needs to be planned, communicated and managed from different perspectives. Finally, there must be a correct organization and technological infrastructure.

This domain answers the following questions:

• Is IT and business strategy aligned?
• Is the organization reaching optimal use of its resources?
• Does everyone in the organization understand the IT goals?
• Are IT risks understood and managed?
• Is the quality of IT systems appropriate for business needs?

The processes defined for this domain are as follows:

• PO1. Definition of a strategic IT plan.
• PO2. Definition of the information architecture.
• PO3. Determination of the technological direction.
• PO4. Definition of the organization and IT relationships.
• PO5. Manage IT investments.
• PO6. Communication of management objectives and expectations.
• PO7. Human resources management.
• PO8. Ensuring compliance with external requirements.
• PO9. Risk assessment.
• PO10. Project management.
• PO11. Quality management.

Acquire and Implement (AI)

To realize the IT strategy, IT solutions must be identified, developed or procured and then implemented and integrated into the business process. In addition, this domain covers changes and maintenance of existing systems to ensure that the lifecycle lasts for these systems.

This domain answers the following questions:

• Are new projects capable of delivering solutions that meet business needs?
• Are new projects able to develop according to established schedules and budgets?
• Do the new systems operate properly once they are implemented?
• Are changes made without considering the current impact and configuration of business operations?
• Is the quality of IT systems appropriate for business needs?

The processes defined for this domain are as follows:

• AI1. Identification of solutions.
• AI2. Acquisition and maintenance of application software.
• AI3. Acquisition and maintenance of technological architecture.
• AI4. IT development and maintenance.
• AI5. Installation and accreditation of systems.
• AI6. Change management.

Deliver and Support (EN)

This domain deals with the effective delivery or delivery of required services, ranging from traditional operations on security and continuity aspects, to training. To deliver the services, the necessary support processes must be established. This domain includes the actual processing of data by application systems, often classified as application controls.

This domain answers the following questions:

• Are IT services being delivered in line with business priorities?
• Are IT costs optimized?
• Are IT systems used productively and securely by members of the organization?
• Is there adequate confidentiality, integrity and availability at the level of information technologies?

The processes defined for this domain are as follows:

• EN1. Definition of service levels.
• ES2. Manage services provided by third parties.
• ES3. Capacity and performance management.
• ES4. Guarantee of continuous service.
• ES5. Guarantee of security of the systems.
• ES6. Identification and allocation of costs.
• ES7. Education and training of users.
• ES8. Support and assistance to IT customers.
• ES9. Configuration management.
• ES10. Problem and incident management.
• ES11. Data management.
• ES12. Facilities management.
• ES13. Operations management.

Evaluate and monitor (M)

All IT processes need to be regularly evaluated over time to determine quality and compliance with control requirements. In this way, this domain corresponds to the oversight of the managerial function over the control processes of the organization and the independent guarantee provided by the internal and external audit or obtained from alternative sources.

This domain answers the following questions:

• Is IT performance measured to catch problems before it's too late?
• Does management ensure that internal controls are effective and efficient?
• Is it possible to establish the relationship between IT performance and business goals?
• Are there mechanisms in place to measure and report IT risk, control, compliance and performance?

The processes defined for this domain are as follows:

• M1. Process monitoring.
• M2. Evaluation of internal control.
• M3. Obtaining independent certification.
• M4. Provision of independent audit.

A basic need of every company is to understand the state of its own IT systems and decide what level of management and control it should provide. To decide on the right level, management must ask itself: how far should we go? Is the cost justified by the benefit?

Companies should measure where improvements are and where they are required and implement a management toolkit to monitor this improvement.

 

COBIT addresses these issues through:

• Maturity models that facilitate evaluation through benchmarking and identification of necessary improvements in capacity.
• Performance goals and measures for IT processes, which demonstrate how processes meet business and IT needs, and how they are used to measure the performance of internal BSC-based processes.
• Goals of activities to facilitate the effective performance of the processes.

The maturity model for the administration and control of IT processes is based on a method of evaluating the organization in such a way that it can evaluate itself, from a non-existent level (0) to an optimized level (5). This approach is derived from the maturity model that the Software Engineering Institute defined for the maturity of software development capability.

Whatever the model, the scales should not be too granular, as that would make the system difficult to use and suggest precision that is not justifiable because, in general, the purpose is to identify where problems lie and how to prioritize improvements.

Maturity levels are designed as profiles of IT processes that a company would recognize as descriptions of current and future possible states. They are not designed to be used as a limiting model, where you cannot move to the next higher level without having met all the conditions of the lower level.

With COBIT maturity models, unlike the original SEI CMM approach, there is no intention to measure levels accurately or test to certify that a level has been achieved accurately. An assessment of COBIT maturity will result in a profile where relevant conditions at different maturity levels have been achieved.

This is because when you use maturity assessment with COBIT models, often some implementations will be at different levels, even if it is not complete or sufficient.

Using the maturity models developed for each of COBIT's 34 IT processes, management will be able to identify:

• The actual performance of the company. Where the company is located today.
• The current status of the industry. The comparison.
• The objective of improving the company. Where the company wants to be.