CobiT^® – Control Objectives for Information and Related Technology

Buy  the Complete CobiT 4.1 Publication Set, or

Buy  the CobiT 4.1 Manual, or

Attend an Official CobiT 4.1 Foundation Training Course

Control Objectives for Information and Related Technology (CobiT) is an IT governance control framework that helps organisations meet today’s business challenges in the areas of regulatory compliance, risk management and aligning IT strategy with organisational goals - Browse CobiT books now!

 ValIT is another IT governance framework; it provides a set of guiding principles & processes for IT portfolio management to help business managers to realise value from IT investments. Val IT is closely entwined with CobiT. Browse ValIT books.

CobiT and ValIT are both published in the United States by the IT Governance Institute and Information Systems Audit and Control Association (ISACA).  CobiT was first published in the mid 1990s and has been through a number of development stages. The most recent version is 4.1

Structure of CobiT

CobiT recognises 34 IT processes that are grouped into four domains.  The four domains are:

• Plan and Organise
• Acquire and Implement
• Deliver and Support
• Monitor and Evaluate

Each process has a level of maturity (numerical) from 0-5. (0 is non-existent and 5 is optimised.) This scale can be used for a number of key evaluations, such as the level of maturity a process is currently at within your organisation, what level of maturity the processes should be at, what level is considered best practice, & what level the best of your competitors/other organisations have achieved.   
 
The Complete CobiT 4.1 Publication Set is the most complete and up-to-date version of this important IT governance framework. IT contains (and each item can be ordered separately, or as part of the Complete Publication Set:

• CobiT 4.1 Manual
• CobiT Control Practices, 2nd Edition 
• IT Governance Implementation Guide: Using CobiT and Val IT, 2nd Edition
• IT Assurance Guide: Using CobiT
• CobiT Security Baseline, 2nd Edition

The latest version of CobiT (Version 4.1) is split into four sections:

• Executive Overview – provides key information on the key concepts and principles of CobiT.  Also, there is a full overview of other key areas of the framework;
• The Framework – defines the CobiT framework.  Also provides an overview of the core components, processes, controls and relationships among processes, goals, and metrics.
• Core Content (Control Objectives, Management Guidelines, and Maturity Models)– The core content of the CobiT manual is divided according to the 34 IT processes.  Each process is covered by 4 pages of individual in-depth information.  The contents of each of these pages is as follows:
  • Page one - covers the high-level control objective for the process – process description, objectives, goals, metrics, practices, & mapping of the process to process domains, information criteria, IT resources and IT focus areas.
  • Page two – detailed control objectives for the process.
  • Page three – management guidelines, process inputs / outputs, a RACI (Responsible, Accountable, Consulted and/or Informed) chart, goal and metrics, and
  • Page four - The maturity model for the process.
• Appendices - mappings and cross references, additional maturity model information, reference material, a project description and a glossary.

CobiT is closely related to the COSO control framework, which was developed by The Committee of Sponsoring Organisations of the Treadaway Commission. COSO deals with the control of financial processes whereas CobiT deals with IT processes. This downloadable webinar provides core guidance on aligning CobiT with COSO, with ERM and with ISO17799.

More information on the COSO control framework and internal controls can be found in The Manager’s Guide to Compliance. It provides a resource of US and global regulatory information, as well as critical compliance guidance, in an easy-to-access format.

CobiT as a tool for Sarbanes-Oxley Compliance

Following a wave of large corporate financial scandals in the late 1990s and the first few years of the 21^st century the United States enacted the Sarbanes-Oxley Act. SOX deals with how publicly traded companies (listed in the US) report financial information, and also includes other Corporate Governance regulations and standards.

The Sarbanes-Oxley Act stipulates that US publicly traded companies must ensure they have an internal system of control in place to ensure the disclosure of accurate financial information. 

IT is inextricably linked to the reporting of financial information as it is used for the storage, processing and management of financial data and documents.  Thus organisations must have effective controls for IT in place. The US SEC (Securities and Exchange Commission) has mandated the use of a recognised internal control framework. CobiT is the most widely of these used to achieve IT SOX compliance.

An essential toolkit for achieving Sarbanes-Oxley IT compliance is the Sarbanes-Oxley IT Compliance Using Open Source Tools, Second Edtion.  This book provides an essential route map and software tools (CD-ROM included) on how to achieve IT Sarbanes-Oxley compliance.

The Sarbanes-Oxley Act mandates that organisations must produce an internal control report which must be included in their annual Exchange Act report.  IT Control Objectives for Sarbanes-Oxley, 2nd Edition, authored by the IT Governance Institute, provides a reference source for executives when evaluating an organisation's IT controls as required by the US Sarbanes-Oxley Act as part of the internal control report process.

CobiT and Other Frameworks

ISO/IEC 27002 (was ISO17799) is an international standard which provides best practice advice and guidance on Information Security. ITIL is source of best practice information and processes relating to the delivery of IT as a service.

CobiT and the above standards / frameworks can be used together to achieve process improvement.  CobiT does not supply a how-to route map for implementation of IT or Information Security best-practices.  This is where ISO/IEC 17799 and ITIL come in. They supply best practice information and processes. CobiT provides you with a control by which you can measure the processes contained in ISO 17799 and ITIL and which can be leveraged for process improvement.

Copies of the core ITIL books along with downloadable and paper versions of the ISO/IEC 1799 Information Security standard are available from the IT Governance online store.