The Promise of COBIT5, What is New?

March 2013

For anyone who benefited from COBIT 4.1 to control IT with the framework's well-organized list of domains and processes, COBIT 5 may look quite complicated or elaborate with its multi-dimensional approach and extended scope. I tried to find out what is new in the framework and how it is structured in order to help governing and managing enterprise IT.

COBIT 4.1 was well positioned as a control framework for IT to deliver against business requirements. This position perfectly supported the “monitor”, “control” and “direct” mandates of IT governance. COBIT 4.1 was process-oriented and had a flat structure for the whole list of IT processes in sets of activities with defined responsibilities, goals and performance metrics. Each process defined the control objective, its justification to meet the relevant business goals, mapping of the business goals to IT goals, and further definition of key controls to achieve those IT goals. Key metrics were listed to measure the performance of the process and activities. The relation of each IT process to the five IT governance focus areas* and the COBIT information criteria** was also provided. It was quite simple to follow this structure in order to control a single IT process.

COBIT 5 is now positioned as an IT Management and Governance Framework and extends COBIT 4.1 by integrating other major frameworks, standards and resources at a high level. All major ISACA frameworks and guidance are also integrated into the framework with a primary focus on COBIT, Val IT and Risk IT. The governance of Enterprise IT is now viewed to be integrated into enterprise governance. A holistic and systematic view is targeted to be achieved through a number of enablers. The enablers are enterprise wide and end-to-end covering both the IT functions and non-IT business functions. There are seven categories*** of enablers as per COBIT 5 and two enabler guides are already available for processes and information.

Higher level IT related goals define what the different enablers should achieve. The IT related goals are linked to enterprise goals and the enterprise goals are used to formalize and structure stakeholder needs. This is called COBIT 5 goals cascade and reminds the mapping of business goals to IT goals and corresponding controls in COBIT 4.1. However these mappings now are quite loose with several dimensions and cross mappings. The framework provides mapping tables for these relations and leaves the implementation to the practitioner as per enterprise specific needs and priorities. Enablers have dimensions (stakeholders, goals, life cycle and good practices) and they are also interrelated, i.e, each enabler needs the input of other enablers to be fully effective (e.g. processes need information) and delivers output to the benefit of other enablers (e.g. processes deliver information). All interrelated enablers need to be analyzed for relevance when dealing with any specific stakeholder need. COBIT 5 promises to provide guidance on all these issues.

The separation of governance and management is also one of the major highlights in the new framework. The new process reference model now defines and describes governance and management processes separately, including specific sets of practices and activities for each. Five processes are defined for governance where evaluate, direct and monitor (EDM) practices are defined within each of them. The management domains are an evolution of the COBIT 4.1 domain and process structure. Risk IT and Val IT process models are also integrated into the new COBIT 5 process reference model.

The framework is now more elaborate compared to its previous version. COBIT 5 process reference model defines and describes a number of governance and management processes in detail. It represents all of the processes normally found in an enterprise relating to IT activities, providing a common reference model understandable to operational IT and business managers. The proposed process model is a complete, comprehensive model, but it is not the only possible process model. Each enterprise must define its own process set, taking into account its specific situation. The COBIT 5 Implementation publication provides guidance to adapt the framework to each enterprise’s unique environment.

Apparently, the framework has now several viewpoints with extensive coverage and has variety of resources that will be continually extended. COBIT 5 might definitely assist practitioners to achieve their objectives for successful management and governance of Enterprise IT. The web link for the framework is http://www.isaca.org/COBIT.


* IT governance focus areas; Strategic Alignment, Value Delivery, Risk Management, Resource Management, Performance Measurement

**COBIT Information Criteria: Effectiveness, Efficiency, Confidentiality, Integrity, Availability, Compliance, Reliability.

*** The seven categories of enablers are;
– Principles, Policies and Frameworks

– Processes
– Organisational Structures
– Culture, Ethics and Behaviour
– Information
– Services, Infrastructure and Applications
– People, Skills and Competencies