COBIT 5: A first look at the recent updates

In this tip, learn how to integrate the new management practices from COBIT 5 into current IT security framework implementations.

COBIT, the globally acknowledged leading framework for IT management and control, is about to see some big cha...


ISACA, the industry group behind the framework, has recently released the draft version of COBIT 5, an updated version that aims to be better and easier to navigate, understand and, hopefully, apply.

In the new version, which ISACA expects to finalize this fall, the domain and process structure has grown from four to five domains and from 34 to 36 processes. The thought of added COBIT controls probably makes many security pros groan, but wait. These additions are no mean feat when you realize COBIT 5 integrates all knowledge previously dispersed across ISACA’s various frameworks -- COBIT, Val IT, Risk IT, the Business Model for Information Security (BMIS) and the IT Assurance Framework (ITAF) -- into a single knowledge base, thus paving the way for a consistent approach to value, risk and security across the enterprise.

In essence, COBIT 5 is complete in enterprise coverage, providing a basis for integrating other frameworks, standards and practices that organizations may already be using.

At its core, COBIT 5 has five principles:

  1. COBIT 5 the integrator (a governance and management framework for information and related technology that begins by assessing stakeholders' needs for technology). Stakeholders needs include areas of concern or interest to stakeholders, or drivers for business goals. The business goal, IT and process goal mapping  this generates follows the same format as COBIT 4.1, and provides a clear path to navigate to the most appropriate material to address the area of interest or concern.
  2. It is stakeholder value driven.
  3. It is business and context focused.
  4. It is enabler based. Seven categories of enabler are described on pages 28-32, and appendix H of “The Framework”;  the “enablers” being those enterprise resources that underpin success in IT.
  5. It is governance and management structured.

The COBIT 5 Architecture brings together stakeholders, their concerns, interests and needs, and ISACA’s Knowledgebase. This will enable the COBIT 5 product set to be developed to address specific stakeholder needs based on a subset of the COBIT 5 knowledgebase.  It is envisaged that the first three publications will be the Framework , The Process Reference Guide, and an updated IT Governance Implementation Guide. Drafts of the first two of these are available for free download.

Implementing COBIT 5 for existing users
Perhaps the biggest change for existing users of COBIT will be the new COBIT 5 Process Capability Model, which is introduced in section 8 (page 44) of  the framework. This should not be a surprise, as in April 2011 ISACA published for public comment an ISO 15504-compliant process-assessment model based on COBIT 4.1, which is currently being used in a number of pilot studies across the world.  ISO 15504 defines the steps necessary to perform a conformant capability assessment using a prescribed  capability measurement framework. This is intended to provide a consistent and repeatable approach and assessment. This will make cross-enterprise, industry or process assessments more comparable.

There is also a notable change from the use of “control objectives” (COBIT legacy) to “management practices” (Val IT and Risk IT). If this is a cause for concern, Appendix A (page 205) of the Process Reference Guide provides a one-to-one mapping for each legacy requirement to the corresponding COBIT 5 management practice.

If you have concerns about how to align your COBIT 4.1-based framework with COBIT 5, I recommend you invest some time in taking a closer and more detailed look at the Enablers.

Rest assured there will be no shortage of additional supporting material as we go forward.

Implementing COBIT 5 for potential new users
Please don’t wait. COBIT 5 is a natural progression of a framework and supporting resources that first became available some 15 years ago. A word of caution though: All models and frameworks provide a simplification of the real world, and should not be used as prescriptive requirements. COBIT 4.1 enables you to start, not with a blank sheet of paper, but with a framework and resources that have been tested and are used by your peers. For your part, you have the responsibility of asking three simple questions as you begin your journey:

  1. What to do?
  2. What not to do?
  3. What can we stop doing?

The remaining challenge for you is where to start. Much like in Alice in Wonderland, that depends on where you are, and any pressing concerns you may have at this time, such as:

  1. If you are concerned about how your enterprise's security framework compares with your peers, or what they are concerned about, these 2011 publications should be helpful: “IT Governance Global Status Report” (.pdf),  and “Top Business/Technology Issues Survey Results 2011”.
  2. If you have some pressing existing concerns, the document “Getting Started with Value Management” begins from the premise of some typical pain points.
  3. If you have concerns with business and IT alignment, “Understanding How Business Goals Drive IT Goals” (.pdf) will be a good place to start.
  4. If you need business buy-in for an enterprise governance of IT initiative, then “Building the Business Case for COBIT and Val IT” will be a good start for you.
  5. If you are looking for some guidance more generally on the enterprise governance of IT, then  you should find the “Board Briefing on IT Governance” and “ITGI Enables ISO/IEC 38500:2008 Adoption” the right place for you.

All of the above can be downloaded free from www.isaca.org/research.

About the author:
Roger Southgate is a member of the COBIT Enterprise Task Force, he has been using COBIT since the 90's and has been active in its promotion, development and use since 2002. He has delivered presentations, workshops and consulted on the topic of Enterprise Governance of IT using COBIT across the world. He is an IT governance, benefits and risk consultant, a past president of ISACA London Chapter and co-ordinates the COBIT development group in London.

This was last published in August 2011

Dig Deeper on Security audit, compliance and standards