An Overview of the COBIT Framework

For decades, managing IT functions has been an integral part of successfully achieving business goals. These functions have evolved over time, and today, considerations relating to cloud computing, big data, and mobility are the keys to success for many organizations. Of course, businesses want to take advantage of the latest tech capabilities. But the key to using IT successfully is actually more fundamental: adhering to IT governance best practices. For that, businesses large and small may want to turn to defined IT governance frameworks like COBIT. 

When it comes to incorporating IT functions, challenging questions can arise for business leaders, administrators in various departments, and, of course, IT professionals, whether in-house or managed services providers (MSPs). In every industry, organizations need frameworks to help implement governance strategies across siloed departments. At the same time, MSPs must be aware of how businesses use COBIT, and how their responsibilities and scope may be informed by customers’ IT governance frameworks. 

What is the COBIT framework? 

The COBIT acronym originally stood for “Control Objectives for Information and Related Technology,” although this longer version of the name is no longer used. The framework was originally developed by Information Systems Audit and Control Association (ISACA) in 1996, and focused specifically on financial auditing in IT environments. The second-most-recent version (from 2012), COBIT 5, incorporated governance activities like ISO 38500 and other ISACA frameworks while emphasizing IT governance for business success. A 2013 add-on included more information for risk management. 

The COBIT framework provides a set of best-practice controls around information technology, allowing businesses to add value through IT decisions while mitigating possible risks. With COBIT, a business has a high-level roadmap for developing and managing IT governance practices. It’s a supportive tool that bridges the gap between business and technical issues and gives stakeholders better risk management and COBIT compliance around their specific processes. With COBIT, a business gets the metrics, maturity models, and best practices that allow them to measure how objectives and processes are coordinating and succeeding. 

What is COBIT 2019? 

Released in 2018, the most recent version of this IT governance framework, COBIT 2019, is designed to evolve at the pace of modern business and technology. This version will have more frequent updates and will come with flexible, collaborative governance strategies specifically designed to address the rapid deployment of cutting-edge tech. It will also come with new concepts and terminology, including 40 governance and management objectives for better customization of IT governance strategies. 

The 2019 version has incorporated user feedback for several key improvements. This version includes an open-source model that encourages a quicker update cycle. By facilitating better alignment with global standards, this rapid update cycle makes COBIT more relevant across the world. There are now more online, collaborative features for ongoing support and additional tools for measuring IT performance. Other areas of focus include cloud computing and cybersecurity.

The overall structure of COBIT 2019 includes:

• Introduction and Methodology: This section outlines the basic COBIT principles and explains the framework as a whole. 
• Governance and Management Objectives: This section discusses the COBIT core model, including the 40 governance and management objectives.  
• Design Guide: This section goes into depth on how to develop a governance strategy that suits the unique needs of an organization. 
• Implementation Guide: This section gives best practices for how a business could implement its specific strategy.

COBIT 2019 also includes concepts that are specifically tailored to the needs of small and medium-sized businesses (SMBs). Although COBIT may be more common at the enterprise level, SMBs can also benefit from its principles. For MSPs, this new focus on SMBs means that a broader range of potential clients may look for a tech professional familiar with COBIT. 

What is the purpose of COBIT? 

The ultimate purpose of the COBIT framework is to ensure that IT investments are being prioritized in a way that helps businesses achieve their objectives without incurring additional IT risk. To that end, COBIT focuses on the following concepts: 

• Frameworks: Good information should support business decisions. IT governance frameworks link IT processes to an enterprise’s requirements. 
• Process Descriptions: Process-focused specifications are flexible for businesses, but also useful—processes are always results-oriented. These descriptions provide a reference model in a common vernacular that all stakeholders can consider when planning, building, and monitoring.
• Control Objectives: COBIT encourages businesses to consider objectives around control and responsibility to ensure they can effectively negotiate IT risk.
• Management Guidelines: A business needs a set of tools for assigning responsibility, as well as for self-assessing and approving IT measures. COBIT provides metrics to assess proper performance.
• Maturity Models: COBIT maturity models help businesses measure the capability of their processes in order to understand their progress and set priorities for improvement. 

All these focal points help business leaders identify responsibility through their organization, then use clearer communication to build and monitor high-level IT implementation. With COBIT, a business has a single roadmap for governance, risk, and compliance, as well as better insights into their ROI on IT services. For a new company, using a framework like COBIT may help fast-track their IT success without missing important elements. 

Compared with other IT governance frameworks, COBIT has a specific focus on security, risk management, and information governance. COBIT 2019 does not emphasize figuring out IT strategies and architecture, but instead focuses on governing and managing IT across an organization. It doesn’t help a business perform specific IT functions but takes a higher-level approach to implementing information technology for business success. 

The COBIT framework isn’t just for an IT department or MSP—in fact, it’s designed to be used throughout a business. Technology is an integral part of processes across many organizations and operations; marketing, sales, HR, administration, and more may use or manage certain IT functions. These parts of the business are also accountable as “process owners,” and must have some responsibility for the IT deployed within their operations. They will still look for guidance from an IT professional, of course, but COBIT can give them a framework that helps control the activities within their specific department and ensure their use of IT helps them achieve business objectives while mitigating risk. 

For an MSP, it’s important to figure out which IT decision rights they have. Ideally, they will be granted enough decision-making leeway to fulfill their contracted services according to their typical business model. At the same time, not all IT accountability should rest on an MSP’s shoulders—something the COBIT model makes clear—and departments throughout a business should recognize their distinct IT responsibilities.

While it has traditionally been an enterprise-level governance structure, the latest version of COBIT makes provisions for small and medium businesses as well, meaning MSPs may find these guidelines relevant for clients of all sizes. Overall, IT governance can be contractually determined, leading to improved effectiveness and better alignment between the MSP and the business.

What is the COBIT maturity model?

The COBIT maturity model is based on the Capability Maturity Model Integration (CMMI), which is the standard for information technology when it comes to operational efficiency. This model for optimizing development processes can help organizations streamline their process improvements, basing their behaviors on practices that decrease development risks. 

The CMMI model evaluates process and service development, the establishment and management of services, and the acquisition of products and services. It provides measurable benchmarks that help businesses keep their IT decisions cost-effective and progressive. With CMMI, businesses can vet their vendors and resolve process problems. Businesses may eventually reach Level 4 or 5 COBIT maturity, which suggests an organization’s processes are either running off quantitative data and successfully avoiding risks or are fully optimized and stable yet flexible enough to respond to new opportunities.

What are the five principles of COBIT? 

For MSPs, it’s worthwhile to have an understanding of COBIT’s basic principles—considering that these principles are also at the heart of other governance frameworks like TOGAF, an enterprise architecture framework that helps improve business efficiency. These principles are designed to be somewhat generic so they can be applicable for organizations across various industries: 

• Meet Stakeholder Needs: This means adding value through realizing IT benefits and resource use while mitigating risk.
• Cover the Enterprise End-to-End: This refers to the consideration of all business processes and functions that relate to information technology.
• Apply a Single, Integrated Framework: This means applying unified standards across the business.
• Enable a Holistic Approach: This means considering the seven COBIT “enablers,” including “People, Skills, and Competencies,” and “Culture, Ethics, and Behavior.”
• Separate Governance from Management: This means that the planning, building, running, and monitoring stages are separate from specific governance functions like monitoring, evaluating, and decision-making.

What are COBIT and ITIL?

COBIT and ITIL are both IT governance frameworks, but there are a number of differences between the two. Some say COBIT is the “why” and ITIL is the “how,” although this is somewhat oversimplified. COBIT focuses on generating value for the business through investments in IT while simultaneously mitigating risks. ITIL, formerly an acronym for Information Technology Infrastructure Library, is focused on managing IT services across their lifecycle, which is typically considered a more foundational starting place for IT development. COBIT builds on top of ITIL processes with a control framework for structuring those processes. While ITIL is almost always necessary for a business, there are existing alternatives to COBIT.

MSPs may encounter businesses that only use ITIL or use both ITIL and COBIT, and they should be familiar with the thought processes behind both approaches. Businesses invest in these frameworks to ensure their IT is functional and provides real value, and MSPs may need to be prepared to work within this framework as they provide many of the actual IT-related services those businesses hope to leverage.

If you are an MSP, you should be sure to do your research on IT governance frameworks, develop best practices for your own business, and understand what your customers may ask of you. Explore our blog for more information about crafting an IT strategy for your business.

Additional Resources: 

• 6 Ways IT Teams Can Help Reduce Rework and Unproductive Labor
• How to Keep Your IT Skills Up to Date
• 7 Common Mistakes Growing MSPs Can Make