Get started Bring yourself up to speed with our introductory content.

COBIT 5 certification: Should compliance professionals pursue it?

Expert Mike Chapple details the COBIT 5 certification process and determines if security and compliance professionals should pursue it.

COBIT recently announced its COBIT 5 Certified Assessor Program. My organization uses COBIT. Under what circumstances does it make sense to invest in COBIT 5 certification, and who or which roles should pursue it?

Ask the Expert

Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

Propagated by the Information Systems Audit and Control Association (ISACA), the Control Objectives for Information Technology (COBIT) are a widely accepted set of practices for managing and governing information technology activities. They are primarily used by auditors seeking a standard framework to evaluate an organization's technology control environment and by security and governance professionals seeking an objective basis for their IT control programs. The COBIT 5 Certified Assessor Program provides individuals with a way to demonstrate their competence in applying the COBIT framework to IT processes.

To achieve COBIT 5 certification, individuals must complete an approved COBIT 5 assessor training program, pass two COBIT examinations and demonstrate that they have five or more years of relevant work experience. These are significant, costly hurdles, and, in my opinion, the barriers to entry do not justify members of the general information security and IT audit communities working toward this credential. Most individuals would likely be better served by obtaining the more widely recognized general certifications in their field, such as the Certified Information Systems Security Professional (CISSP) or Certified Information Systems Auditor (CISA) credentials. The CISSP and CISA both require security and compliance professionals to demonstrate a solid foundation of knowledge and work experience without limiting themselves to one particular standard.

The limited case where the COBIT 5 credential might make sense is for IT professionals who work in an enterprise that is firmly committed to COBIT implementation or IT auditors who routinely encounter COBIT in their regular duties. In those cases, COBIT certification may be appropriate, provided the employer is willing to provide funding! For professionals looking to obtain a credential that increases their marketability in the broader employment market, though, I'd suggest looking elsewhere.

This was last published in November 2013

Dig Deeper on Security audit, compliance and standards

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Hi Mike, You are right that the COBIT Certified Assessor is best suited for internal/external auditors, IT auditors and consultants whose main focus is to assess an enterprise’s process capabilities against the COBIT 5 Process Assessment Model. That is exactly who it was designed for. While it is called a certification, it is not designed to be comparable to credentials such as CISA, CISM, CGEIT or CRISC. I was the first COBIT Assessor certified by ISACA. I chose to obtain the designation because as a process consultant and trainer, this certification will give me more credibility to perform process performance assessment for my clients. Our promise is effectiveness and efficiency through process implementation and COBIT 5.0 Process capability assessment is all about measuring Process Performance.