COBIT is a framework for developing, implementing, monitoring and improving information technology (IT) governance and management best practices. The COBIT framework is published by the IT Governance Institute (ITGI) and ISACA.

In the United States, COBIT is the most commonly used framework for achieving compliance with the Sarbanes-Oxley Act (SOX). The name COBIT originally stood for "Control Objectives for Information and Related Technology," but the spelled-out version of the name was dropped in favor of the acronym in the fifth iteration of the framework.

The original version of COBIT was published in 1996 and focused largely on auditing IT controls. COBIT 2019, which is the most current version of the framework, places emphasis on the value that information governance can provide to a business's success.

Why is COBIT important?

The goal of the COBIT framework is to provide a common language for IT professionals, business executives and compliance auditors to communicate with each other about IT controls, goals, objectives and outcomes. Without a common language, an enterprise that is being audited runs the risk of having to educate individual auditors about when, where, how and why specific IT controls were created.

COBIT principles

COBIT is based on five key principles for governing and managing enterprise IT:

  • Principle 1: Meeting Stakeholder Needs
  • Principle 2: Covering the Enterprise End-to-End
  • Principle 3: Applying a Single Integrated Framework
  • Principle 4: Enabling a Holistic Approach
  • Principle 5: Separating Governance from Management

The framework also identifies seven aspects of governance that need to be in place in order to support the five principles above:

  1. Principles, Policies and Frameworks
  2. Processes
  3. Organizational Structures
  4. Culture, Ethics and Behavior
  5. Information
  6. Services, Infrastructure and Applications
  7. People, Skills and Competencies


COBIT is published by ITGI, a nonprofit research entity created by ISACA in 1998. First released in 1996, COBIT was often perceived as merely an audit framework. Time has shown, however, that, if implemented correctly, the framework can also be used to manage risk.

ISACA also has two related products, Val IT and Risk IT, which integrate with COBIT. Val IT focuses on governance as it relates to IT investments. Risk IT addresses the dangers associated with IT technical issues in more detail.


COBIT and IT Infrastructure Library (ITIL) are both regarded as important analytical tools for governing IT services. The two frameworks, which overlap somewhat, can be used together quite effectively. While the ITIL framework has a narrow focus on IT service management (ITSM), the COBIT framework has a broader, risk management focus that can be applied to almost any area of the business.

When an enterprise needs to document compliance, ITIL requires the use of third-party tools, such as the Tudor IT Process Assessment (TIPA). In contrast, COBIT audits are always conducted by ISACA Certified Information Systems Auditors (CISAs).


The Open Group Architecture Framework (TOGAF) is another governance, risk and compliance (GRC) framework that complements COBIT. TOGAF was created and is maintained by The Open Group, an independent industry association. It builds on an earlier framework known as TAFIM, or Technical Architecture Framework for Information Management, originally devised by the U.S. Defense Department (DOD). In early 2009, The Open Group released TOGAF version 9. The Open Group and others commonly lead TOGAF certification and educational programs today. Typically, enterprise architects lead the use of TOGAF within organizations.

COBIT 5 benefits vs. COBIT 2019

COBIT 5 expanded on COBIT 4.1 by integrating related standards from the International Organization for Standardization (ISO), including ITIL.

ISACA updated every part of the COBIT framework for 2019. Changes and additions to COBIT 2019 are listed in the COBIT document suite, which is available to ISACA members for free.

Changes include the following:

  • an updated alignment with global standards, frameworks and best practices;
  • a mechanism that enables the COBIT community to provide feedback, share applications and propose enhancements to the framework; and
  • new guidance and tools for tailoring an IT governance system to a specific enterprise's needs.

COBIT 2019 components

COBIT 2019 has four main parts:

  1. Introduction and Methodology. The 2019 update expands governance guidelines and includes capability maturity models. COBIT 2019 includes capability maturity models and a scored approach to evaluating how well an organization's governance and management efforts are working.
  2. Governance and Management Objectives. The 2019 update details the COBIT Core Model and metrics for evaluating each of the model's 40 objectives.
  3. Designing an Information and Technology Governance Solution. This new addition to COBIT 2019 provides practical advice for how to tailor governance to meet a specific organization's needs.
  4. Implementing and Optimizing an Information and Technology Governance Solution. The update provides details for how to use the Design Guide with the COBIT framework.

Who uses COBIT to do their job?

If someone is applying for one of the following positions, she should become familiar with COBIT and related governance frameworks:

  • chief information security consultant
  • chief information security officer (CISO)
  • director, security assurance
  • GRC consultant
  • information assurance analyst
  • information security administrator
  • information security assurance analyst
  • infosec risk analyst
  • IT governance analyst
  • IT security engineer
  • principal cybersecurity manager
  • principal information assurance officer
  • regional information security analyst
  • risk officer
  • security systems administrator
  • senior director of cybersecurity
  • senior GRC analyst
  • senior information security assurance consultant
  • senior information security risk officer
  • senior IT security consultant
  • senior IT security operations specialist
  • third-party risk management compliance analyst

What is ISACA?

ISACA sets and develops guidance and controls for information governance, control, security and audit professionals. The global organization sponsors and drives the COBIT framework. ISACA originally stood for "Information Systems Audit and Control Association," but the organization now simply goes by ISACA.

ISACA certifications

ISACA certifications are designed to show employers that a job candidate has the necessary experience and knowledge to do the job. ISACA professional certifications include the following:

  • CISA assesses the candidate's knowledge, expertise and skill in implementing IT controlsin an enterprise environment. This certification is designed for anyone tasked with auditing IT systems.
  • Certified Information Security Manager (CISM) assesses both technical and managerial skills. This certification is designed for security leaders who design, engineer, implement and manage the overall security posture of an organization.
  • Certified in the Governance of Enterprise IT (CGEIT) assesses key knowledge areas related to the governance responsibilities of senior management, including the board of directors. This certification is designed for IT professionals who manage and provide advisory or assurance services that support IT governance.
  • Certified in Risk and Information Systems Control (CRISC) assesses the overall impact and potential dangers that IT risks present to the modern enterprise. This certification is designed for anyone charged with creating policies and procedures designed to minimize risk.
This was last updated in December 2019

Continue Reading About COBIT

Dig Deeper on IT security audits and audit frameworks