Overview

COBIT (Control Objectives for Information and related Technology) is designed to be an Information Technology governance aid to the management in their understanding and managing of the risks and benefits associated with information and related technology. Our COBIT compliance services assist in achieving control objectives by managing the security function through the following four broad domains:

• Planning & Organisation
• Acquisition and implementation
• Delivery and support
• Monitoring

Scope:

• IT processes
• IT resources
• Information criteria

Features

COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company.

The COBIT Publication is split into 4 major sections:

• Executive Overview – provides key information on the key concepts and principles of CobiT. Also, there is a full overview of other key areas of the framework.
• The Framework – defines the CobiT framework. Also provides an overview of the core components, processes, controls and relationships among processes, goals, and metrics.
• Core Content (Control Objectives, Management Guidelines, and Maturity Models) – The core content of the CobiT manual is divided according to the 34 IT processes. Each process is covered by 4 pages of individual in-depth information. The contents of each of these pages is as follows:
  • Page one - covers the high-level control objective for the process – process description, objectives, goals, metrics, practices, & mapping of the process to process domains, information criteria, IT resources and IT focus areas.
  • Page two – detailed control objectives for the process.
  • Page three – management guidelines, process inputs / outputs, a RACI (Responsible, Accountable, Consulted and/or Informed) chart, goal and metrics.
  • Page four - The maturity model for the process.
• Appendices - mappings and cross references, additional maturity model information, reference material, a project description and a glossary.

COBIT covers four domains:

• Plan and organise
• Acquire and Implement
• Deliver and Support
• Monitor and Evaluate

Benefits

In an age of increasing electronic business and technology dependence, organisations are required to demonstrably attain increasing levels of security and control. Every organisation must understand its own performance and must measure its progress. Benchmarking and measuring progress against peers and the enterprise strategy is one way of achieving a competitive level of IT security and control. The CobiT Management Guidelines provide management not only with pragmatic guidance via these maturity models, but also critical success factors and suggested performance measures to answer the perpetual question: 'What is the right level of control for my IT such that it supports my enterprise objectives?'

• Benefit from the documentation of hundreds of IT professionals, auditors and business managers on the ISACA website.
• Assess your security position with minimal time and money.
• Calculate milestones for you and your stuff to minimize the possibilities of confusion or miscommunication.
• Bring efficiency to your security process and staff.
• Gain compliance to SOX along with CobIT.
• Evaluate your success in implementing control structures.
• Gain from shared knowledge from other organisations.
• Powerful engine to drive even more new ideas and solutions from your team.

Technical Information

COBIT was first released in 1996. Its mission is “to research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors.” Managers, Auditors, and users benefit from the development of COBIT because it helps them understand their IT systems and decide the level of security and control that is necessary to protect their companies’ assets through the development of an IT governance model.

COBIT 4.1 has 34 high level processes that cover 210 control objectives categorized in four domains: Planning and organisation, Acquisition and Implementation, Delivery and Support, and Monitoring. COBIT provides benefits to managers, IT users, and auditors. Managers benefit from COBIT because it provides them with a foundation upon which IT related decisions and investments can be based. Decision making is more effective because COBIT aids management in defining a strategic IT plan, defining the information architecture, acquiring the necessary IT hardware and software to execute an IT strategy, ensuring continuous service, and monitoring the performance of the IT system. IT users benefit from COBIT because of the assurance provided to them by COBIT's defined controls, security, and process governance. COBIT benefits auditors because it helps them identify IT control issues within a company’s IT infrastructure. It also helps them corroborate their audit findings.

The complete COBIT package is a set consisting of six publications:

Executive Summary
Sound business decisions are based on timely, relevant and concise information. Specifically designed for time-pressed senior executives and managers, the COBIT Executive Summary consists of an Executive Overview which provides a thorough awareness and understanding of COBIT's key concepts and principles. Also included is a synopsis of the Framework, which provides a more detailed understanding of these concepts and principles, while identifying COBIT's four domains (Planning and organisation, Acquisition and Implementation, Delivery and Support, Monitoring) and 34 IT processes

Framework
A successful organisation is built on a solid framework of data and information. The Framework explains how IT processes deliver the information that the business needs to achieve its objectives. This delivery is controlled through 34 high-level control objectives, one for each IT process, contained in the four domains. The Framework identifies which of the seven information criteria (effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability), as well as which IT resources (people, applications, information and infrastructure) are important for the IT processes to fully support business,

Control Objectives
The key to maintaining profitability in a technologically changing environment is how well you maintain control.[citation needed] COBIT's Control Objectives provides the critical insight needed to delineate a clear policy and good practice for IT controls. Included are the statements of desired results or purposes to be achieved by implementing the 214 specific and detailed control objectives throughout the 34 IT processes.

IT Assurance Guide (formerly Audit Guidelines)
To achieve your desired goals and objectives you must constantly and consistently audit your procedures. Audit Guidelines outline and suggest actual activities to be performed corresponding to each of the 34 high-level control objectives, while substantiating the risk of control objectives not being met. Audit Guidelines are an invaluable tool for information systems auditors in providing management assurance and/or advice for improvement.

Implementation Tool Set
An Implementation Tool Set, which contains Management Awareness and IT Control Diagnostics, and Implementation Guide, FAQs, case studies from organisations currently using COBIT, and slide presentations that can be used to introduce COBIT into organisations. The new Tool Set is designed to facilitate the implementation of COBIT, relate lessons learned from organisations that quickly and successfully applied COBIT in their work environments, and lead management to ask about each COBIT process: Is this domain important for our business objectives? Is it well performed? Who does it and who is accountable? Are the processes and control formalized?

Management Guidelines
To ensure a successful enterprise, you must effectively manage the union between business processes and information systems. The new Management Guidelines are composed of Maturity Models, to help determine the stages and expectation levels of control and compare them against industry norms; Critical Success Factors, to identify the most important actions for achieving control over the IT processes; Key Goal Indicators, to define target levels of performance; and Key Performance Indicators, to measure whether an IT control process is meeting its objective. These Management Guidelines will help answer the questions of immediate concern to all those who have a stake in enterprise success.

COBIT covers four domains:

Plan and organise
The Planning and organisation domain covers the use of information & technology and how best it can be used in a company to help achieve the company’s goals and objectives. It also highlights the organisational and infrastructural form IT is to take in order to achieve the optimal results and to generate the most benefits from the use of IT. The following table lists the high level control objectives for the Planning and organisation domain.

Acquire and Implement
The Acquire and Implement domain covers identifying IT requirements, acquiring the technology, and implementing it within the company’s current business processes. This domain also addresses the development of a maintenance plan that a company should adopt in order to prolong the life of an IT system and its components. The following table lists the high level control objectives for the Acquisition and Implementation domain.

Delivery and Support
The Delivery and Support domain focuses on the delivery aspects of the information technology. It covers areas such as the execution of the applications within the IT system and its results, as well as, the support processes that enable the effective and efficient execution of these IT systems. These support processes include security issues and training. The following table lists the high level control objectives for the Delivery and Support domain.

Monitor and Evaluate
The Monitoring and Evaluation domain deals with a company’s strategy in assessing the needs of the company and whether or not the current IT system still meets the objectives for which it was designed and the controls necessary to comply with regulatory requirements. Monitoring also covers the issue of an independent assessment of the effectiveness of IT system in its ability to meet business objectives and the company’s control processes by internal and external auditors. The following table lists the high level control objectives for the Monitoring domain.