ISACA has released an update to the COBIT 5 governance framework that the organization says promotes continuity between an enterprise’s IT department and overall business goals.
With increased focus on business -- as opposed to control -- objectives, COBIT continues to improve.
“One of the key principles of COBIT 5 is we actually split the concept of governance through management,” said Derek Oliver, co-chair of the COBIT 5 Task Force. “In the past, it’s been very management-focused. With COBIT 5 we’ve got a whole new area -- this is what governance is, this is what you and the C-suite need to be doing to drive your business information.”
The original version of COBIT was released in 1996, and has been downloaded more than 100,000 times. The downloadable COBIT update is the result of a four-year initiative led by a global task force and has been reviewed by experts worldwide.
COBIT 5 can be tailored to meet an enterprise’s specific business model, technology environment, industry, location and corporate culture. Its open design means it can be applied to meet needs such as information security, risk management, regulatory compliance and financial processing.
With ISACA’s updates, COBIT 5 continues to target GRC objectives, said Brian Barnier, principal analyst and advisor at ValueBridge Advisors LLC. “With increased focus on business -- as opposed to control -- objectives, COBIT continues to improve,” Barnier said.
The COBIT 5 framework is designed around five principles and seven enablers. The principles are:
- Meeting stakeholder needs.
- Covering the enterprise, end to end.
- Applying a single, integrated framework.
- Enabling a holistic approach.
- Separating governance from management.
The enablers, which ISACA said help achieve enterprise goals, are: processes; principles, policies and frameworks; organizational structures; people, skills and competencies; culture, ethics and behavior; services, infrastructure and applications; and information.
“Within COBIT itself, users will notice an increased focus on business objectives, enablers to the success of enterprise governance of IT and a new approach to maturity evaluation,” Barnier said.
One of these users will eventually be BlueCross and BlueShield (BCBS) of North Carolina. BCBS North Carolina recently began finalizing a contract to outsource its data center, and COBIT updates will be incorporated in the near future, said Marty King, IT risk and compliance audit lead at BCBS.
"What's that done is actually made me realize how much more we're going to need COBIT 5 -- it has that governance aspect, it has that risk aspect," King said. "As we go through and talk about what we have in place for compliance, what internal controls we need to have in place, we're going to invoke COBIT 5."
The new version of COBIT is also designed to integrate other approaches and standards, including TOGAF, PMBOK, Prince2, COSO, ITIL, PCI DSS, the Sarbanes-Oxley Act and Basel III. By using a common vocabulary and set of processes, COBIT 5 enlists stakeholders from across the organization in considering key business and technology issues such as cloud computing, mobile devices and data security.
"It is clear that enterprises everywhere are aggressively seeking guidance on how to manage and ensure value from the growing mountain of information and increasingly complex technologies they are grappling with," Oliver said. "Information is the currency of the 21st century, and COBIT helps enterprises effectively govern and manage this critical asset."
More on GRC processes
King said she's looking forward to invoking the updates to COBIT 5. BCBS uses COBIT 4.1 for processes such as risk management and it has proven invaluable, she added. She expects COBIT 5 to be most useful in areas such as risk management and Val IT.
"Basically, it's a consolidation of things that were in existence -- it gives you sort of an end-to-end governance structure," King said of COBIT 5.
Use COBIT 5 for IT/business alignment
IT professionals in both managerial and assurance roles can take advantage of the enhanced and more integrated content -- especially by better connecting to business objectives, Barnier said.
As with any product, the challenge facing IT leaders is when and how to implement COBIT 5, he added.
"Here, considerations include maturity of existing COBIT implementations and thoughtfully considering which aspects to implement and at what depth to capture the most value while avoiding complexity and cost," Barnier said. "For example, many COBIT implementations today are used primarily for operational controls, not business-IT linkage."
Moving to COBIT 5 without a clear focus on business financial and operational objectives would be a "rather hollow experience," Barnier said.
"Worse, it could easily slip into churn, instead of practical performance," Barnier said. "Begin with the business."
Oliver said COBIT 5 takes a logical path by starting at the top and determining stakeholders' needs. Then organizations can figure out proper management processes that not only help the business, but also satisfy regulators and meet compliance objectives.
"I think what we achieve with COBIT 5 is very much a very valuable document for executives to use to say, 'Are we getting the right information to run our business?'" Oliver said. "You can't make good, quality decisions unless you’ve got good-quality information."
More information on COBIT 5 and how to implement it is available at www.isaca.org/cobit.