The Control Objectives for Information and Related Technologies (COBIT) was founded by the Information Systems and Audit Control Association (ISACA). COBIT is a framework that seeks to provide guidelines for organizing enterprise information technology management. Aligning all your security-first information and security compliance initiatives with COBIT best practices will enable your organization to maintain a steadfast risk management program.
ISACA in Brief
ISACA was initially established in 1969. The organization’s mandate is to create a globally-recognized IT certification besides developing auditing control guidance. ISACA is the brains behind the IT Governance Institute (ITGI), which solely focuses on discovering and publishing relevant resources that provide real-time guidance and standards for maintaining information security controls that are up-to-date.
What is COBIT 5?
COBIT 5 basically provides an information technology framework that integrates ISACA’s proprietary Risk IT, Information Technology Infrastructure Library (ITIL), and Val IT with relevant standards prescribed by the International Organization for Standardization (ISO). Through the combination of these elements, COBIT 5 seeks to provide an all-encompassing cybersecurity program for enterprise information technology governance.
COBIT 5 offers all organizations a way of evaluating and defending data as a core part of their business processes. With an objective of enabling non-profit, public sector, and commercial companies streamline their IT processes, COBIT mainly focuses on providing practical guidance for ensuring reliability, quality, and control of IT infrastructure.
Why Choose COBIT 5?
COBIT 5 will allow you to align most of your current controls with various other benchmarks and regulatory compliance requirements. For instance, if you intend to conform to the benchmarks of the COSO framework, you can use COBIT 5 to measure and define IT control effectiveness. In addition, COBIT 5 defines five core maturity models that can help you determine whether or not you are on the right path as far as complete compliance is concerned.
Using the COBIT Framework 5 Principles to Ensure Best Practices
ISACA bases COBIT 5 on five pertinent guiding principles, which underlie COBIT’s unique approach to information governance and management. By ensuring that your internal controls and IT processes are aligned with these high-level principles, it will be easy to establish an enterprise approach that matches your business objectives.
Principle 1: Fulfill Stakeholder Needs
ISACA recognizes the fact that your organization has different stakeholders who have varying and sometimes conflicting needs. For instance, the marketing department may need to use social media in a bid to build your brand image. Nonetheless, third-party social media applications typically ignore data threats that the IT department is required to mitigate.
The best practice for meeting stakeholder needs is to define tangible and relevant goals and defining levels of responsibility. This will help you identify and communicate enablers’ significance.
Principle 2: Cover the Enterprise End-to-End
Information governance needs to incorporate all IT-related technologies. Everyone in your organization should be aware of information assets that enable your business objectives. The best practices for covering the organization end-to-end include defining governance enablers, defining governance scope, and assigning roles and activities.
Principle 3: Use a Single Integrated Framework
COBIT 5 aligns to various frameworks. Some are IT-related while others are related to risk management. From an enterprise management approach, COBIT 5 draws from ISO/IEC 9000, COSO ERM, ISO/IEC 31000, and CSO. From an IT related approach COBIT focuses on integrating ITIL, TOGAF, ISO/IEC 27000 series, CMMI, and ISO/IEC 38500.
The best practices for applying an integrated framework entail reviewing standards that relate to your organization, engaging in appropriate risk identification, and ensuring that COBIT 5 is aligned to your organization’s goals.
Principle 4: Enable a Holistic Approach
As part of having a holistic approach towards information governance, COBIT seeks to integrate factors that collectively and individually influence the attainment of your business objectives. Frameworks, principles, and policies tie together organizational structures, corporate ethical culture, and processes to services/application/infrastructure, people/skills/competences, and information.
The best practices for enabling a holistic approach include defining key decision-making entities, outlining activities and practices for achieving your objectives, defining behaviors of the organization and individual members that are most important, and defining roles based on individual skills and competencies.
Principle 5: Detach Governance from Management
Governance entails monitoring, directing, and evaluating the information management program that you put in place. On the other hand, management entails planning, monitoring, and running daily activities. Your organization’s board of directors’ role is governance while the executive management under the CEO is mandated with management. Even though the COBIT framework integrates 37 processes and 5 domains, the high-level overview offers an outline for separating governance from management.
The best practices for governance may include creating enterprise-guiding principles, establishing a decision-making model, creating authority levels, reviewing enterprise governance communications, and receiving feedback on governance performance and effectiveness. The best practices for management include communicating ground rules, establishing IT-related policies, and communicating IT objectives.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to
pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.