COBIT

from Wikipedia, the free encyclopedia

COBIT (up to version 4.1 C ontrol Whether jectives for I nformation and Related T echnology , Version 5.0 only as an acronym in use) is an internationally recognized framework for IT governance and the duties of the divided IT in processes and control objectives (often with 'Control target' translated, actually 'control specifications', in the current German version the term is no longer translated). COBIT does not primarily define how the requirements are to be implemented, but primarily what is to be implemented.

history

COBIT was originally developed (1996) by the International Information Systems Audit and Control Association (ISACA). COBIT has evolved from a tool for IT auditors (auditors) to a tool for managing IT from a business perspective and is, among other things as a model for ensuring compliance with legal requirements ( compliance used). This promotes IT industrialization .

The first version of the reference model was published in 1996, followed by the second and third editions in 1998 and 2000. In 2005, COBIT 4.0 was published, the revised version 4.1 was published in May 2007. COBIT 5.0 finally followed in April 2012. Up to version 4.1 COBIT was still an abbreviation for Control Objectives for Information and Related Technology , from version 5.0 only the acronym is used to document the change from the original framework for auditors towards controlling the entire company IT.

COBIT was created based on COSO in order to guarantee the integration of IT governance into corporate governance . The claim of COBIT is, the link between the enterprise-wide control frameworks (COSO) and IT-specific models (eg. B. ITIL , ISO 27001 / 27002 etc.) to be. That COBIT lives up to this claim is shown by the widespread use of COBIT as a control model of most large companies internationally: ISACA postulates that 95% of large companies implement COBIT in whole or in part.

Control approach

The management approach of COBIT is basically top-down. Based on business objectives IT goals are set, in turn, the architectural influence of IT. Appropriately defined and operated IT processes ensure the processing of information, the management of IT resources (personnel, technology, data, applications) and the provision of services. For these levels (company-wide, IT, process and activities), measurement and target values ​​for assessing the results and the performance drivers are defined. The target achievement is measured from the bottom up and thus results in a control cycle.

In total, the COBIT 5 framework defines 37 IT processes to which the control objectives are assigned. The control objectives are essential areas that must be taken into account in the process in order to achieve the process objective (and thus the company objective via the IT objective). The sum of the control objectives ensures a reliable information function that is appropriate to the company's needs.

construction

COBIT 4.1

The publications of COBIT 4.1 consist of the Core Content , the IT Assurance Guide , the Implementation Guide and the Control Practices .

The COBIT 4.1 core content defines for each of the 34 COBIT processes:

  • process description
  • Process objective ( high-level control objective )
  • essential activities
  • essential metrics
  • Control Objectives (210 in total; compared to a total of 215 in Version 4.0 and 318 in Version 3, which is referred to as 3rd Edition )
  • Management guidelines with the inputs and outputs of the process, a task and responsibility matrix ( RACI matrix) and detailed metrics for assessing the process and for assessing the contribution of individual activities to the goals of the process and the contribution of the process to the goals of IT
  • Maturity model that - based on CMM - describes the respective typical characteristics of the process in six maturity levels (0 to 5)

In addition, the COBIT 4.1 core content describes :

  • the connection between corporate goals and IT goals
  • a generic maturity model
  • Measurement and assessment of IT
  • seven generic (valid for all processes) Control Objectives
  • Control objectives for application controls (input, processing, output and transmission controls)

The IT Assurance Guide provides detailed instructions on how to check IT processes. A distinction is made between checking the processes, control objectives and control practices .

The COBIT Control Practices define measures for each Control Objective in the core content that help to achieve the specifications. The control practices can thus be used as a guide for implementation.

The methodological approach for the overall implementation of IT governance is described in the IT Governance Implementation Guide .

The processes from COBIT 4.1 can be compared to the processes from ITIL V3 using a corresponding mapping.

COBIT 5

COBIT 5 was released in April 2012. COBIT 5 consolidates and integrates COBIT 4.1, Val IT 2.0 as well as the Risk IT Framework and BMIS (Business Model for Information Security).

COBIT 5 defines five basic principles for the governance and management of corporate IT. One of the main principles is the distinction between governance (i.e. the specification of the direction, prioritization and definition of corporate goals) and management (the planning, implementation, execution and monitoring of the necessary activities). Two essential principles are the comprehensive, holistic approach and the coverage of the entire company. For this purpose, COBIT 5 defines seven enablers, which should enable the company goals to be achieved and cover the entire company. The drivers behind all activities are the most varied of stakeholders in IT, such as customers, suppliers, legislators or departments. The aim is to convert their requirements into a feasible corporate strategy. For this purpose, COBIT 5 provides a target cascade, a mechanism which breaks down the requirements of the stakeholders into corporate goals, IT-related goals and finally enabler goals. COBIT 5 defines 17 generic company goals, which can be assigned to 17 generic IT-related goals via a corresponding mapping. These in turn can be assigned to generic and specific enabler goals as well as the 37 processes defined in COBIT 5.

The five fundamental principles for governance and management of corporate IT are:

  1. Meeting the requirements of the stakeholders
  2. Coverage of the entire company
  3. Use of a unified, integrated framework
  4. Enabling a holistic approach
  5. Differentiation between governance and management

In COBIT 5, seven enabler categories are defined and considered, those factors or company resources which should enable the company goals to be achieved:

  1. Principles, guidelines and frameworks
  2. Processes
  3. Organizational structures
  4. Culture, ethics and behavior
  5. information
  6. Services, infrastructure and applications
  7. People, skills and competencies

The COBIT 5 process reference model defines 37 processes, which are grouped into five domains, one of which is governance domain (EDM) and four management domains (APO, BAI, DSS and MEA), also as PBRM (Plan, Build, Run, Monitor ) designated. These processes can be compared to the 26 processes from ITIL 2011, which are grouped into the five modules Service Strategy (SS), Service Design (SD), Service Transition (ST), Service Operation (SO) and Continual Service Improvement (CSI) .

  • EDM - evaluating, specifying and monitoring (English: "Evaluate, Direct and Monitor")
    • EDM01 Ensure the establishment and maintenance of the governance framework
    • EDM02 Ensuring the delivery of value contributions
    • EDM03 Ensure risk optimization
    • EDM04 Ensuring resource optimization
    • EDM05 Ensure transparency towards stakeholders
  • APO - Adjust, Plan and Organize (English: "Align, Plan and Organize")
    • APO01 Manage the IT management framework
    • APO02 Management of the strategy
    • APO03 Management of the enterprise architecture
    • APO04 Managing Innovations
    • APO05 Manage the portfolio
    • APO06 Manage budget and costs
    • APO07 Management of the staff
    • APO08 Relationship Management
    • APO09 Management of service agreements
    • APO10 managing suppliers
    • APO11 managing quality
    • APO12 Managing Risk
    • APO13 Managing Security
  • BAI - Build, Acquire and Implement (English: "Build, Acquire and Implement")
    • BAI01 Management of programs and projects
    • BAI02 Manage the definition of requirements
    • BAI03 Management of solution identification and solution building
    • BAI04 Management of availability and capacity
    • BAI05 Manage the facilitation of organizational change
    • BAI06 Change management
    • BAI07 Management of acceptance and transfer of changes
    • BAI08 Knowledge management
    • BAI09 Management of resources
    • BAI10 Manage the configuration
  • DSS - providing, operating and supporting (English: "Deliver, Service and Support")
    • DSS01 Managing operations
    • DSS02 Management of service requests and faults
    • DSS03 Managing Problems
    • DSS04 Managing Continuity
    • DSS05 Management of security services
    • DSS06 Management of business process controls
  • MEA - monitoring, evaluating and assessing (English: "Monitor, Evaluate and Assess")
    • MEA01 Monitor, evaluate, and assess performance and compliance
    • MEA02 Monitoring, evaluating and assessing the internal control system
    • MEA03 Monitoring, evaluating and assessing compliance with external requirements

The process capability model for the evaluation and continuous improvement of processes is based in COBIT 5 on the international standard ISO / IEC 15504 .

validity

COBIT 5 is recognized by several institutions in the state or public sector in the following countries:

  • Argentina
  • Australia
  • Botswana
  • Brazil
  • Costa Rica
  • Dubai
  • EU countries
  • Guatemala
  • India
  • Israel
  • Japan
  • Canada
  • Colombia
  • Mauritius
  • Mexico
  • Nigeria
  • Norway
  • Austria
  • Paraguay
  • Philippines
  • Zambia
  • Switzerland
  • South Africa
  • Turkey
  • Uruguay
  • United States
  • Venezuela

Publications relevant to COBIT

Further publications of the ISACA that are relevant to COBIT are:

  • Board Briefing on IT Governance - To raise awareness of the need for company-wide IT management
  • COBIT Mapping - A series of documents that compare COBIT and other IT standards (e.g. ITIL , ISO 17799 , IT-Grundschutz Catalogs , NIST , FIPS , ISO 13335 , TOGAF etc.). As part of the COBIT mapping,a publication on the optimal combination of COBIT, ITIL and ISO 27001 was createdtogether with OGC , the publisher of ITIL.
  • Control Objectives for Sarbanes Oxley - A guide to the definition of essential controlactivitiesthat are usually determined in the context of SOX implementations.
  • Control Objectives for Basel II - Instructions for implementing the requirements of Basel II with the help of the COBIT framework (currently in preparation)

Personal certification

The ISACA offers the following certifications on the subject:

Every year ISACA organizes regional (European) and international conferences as well as several COBIT user conventions . Lectures and workshops on COBIT and IT governance are offered on these platforms.

ISO / IEC 38500: 2008

Another IT governance standard is ISO / IEC 38500: 2008 published in 2008 . From the perspective of ISACA, ISO 38500 is not a substitute for COBIT, but is intended to represent a superordinate top-down view, while ITIL and PRINCE2 form the foundation in the area of ​​IT service management and project management and COBIT the connecting layer in between.

Web links

Individual evidence

  1. a b COBIT 5 - Framework for Governance and Management of Corporate IT - Appendix H - Glossary, pages 91-92 . ISBN 978-1-60420-245-8
  2. COBIT - Origin and History ( Memento of the original from September 6, 2014 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. . Retrieved September 6, 2014. @1@ 2Template: Webachiv / IABot / www.dpunkt.de
  3. ISACA - COBIT Mapping: Mapping of ITIL V3 With COBIT 4.1 ( Memento of the original from September 6, 2014 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. . Retrieved September 6, 2014. ISBN 978-1-60420-035-5  @1@ 2Template: Webachiv / IABot / www.isaca.org
  4. ISACA Issues COBIT 5 Governance Framework. (No longer available online.) In: ISACA.org. Archived from the original on July 6, 2013 ; Retrieved June 12, 2013 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / www.isaca.org
  5. ISACA - Business Model for Information Security (BMIS) Fact Sheet ( Memento of the original dated August 25, 2014 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. . Retrieved September 6, 2014.  @1@ 2Template: Webachiv / IABot / www.isaca.org
  6. ^ ISACA - Business Model for Information Security (BMIS) . Retrieved September 6, 2014.
  7. Mapping of the ITIL 2011 processes with the COBIT 5 processes ( memento of the original from November 29, 2014 in the Internet Archive ) Info: The archive link was automatically inserted and not yet checked. Please check the original and archive link according to the instructions and then remove this notice. .  @1@ 2Template: Webachiv / IABot / www.glenfis.ch
  8. COBIT 5 - Framework for Governance and Management of Corporate IT . ISBN 978-1-60420-245-8
  9. http://www.isaca.org/Education/COBIT-Education/Pages/COBIT-Foundation.aspx
  10. http://www.isaca.org/Education/COBIT-Education/Pages/COBIT-Implementation.aspx
  11. http://www.isaca.org/Education/COBIT-Education/Pages/COBIT-Assessor.aspx
  12. ISO 38500 IT Governance Standard .
  13. ISO / IEC standard for corporate governance of information technology, article dated June 5, 2008, accessed on September 6, 2014.
  14. ICASA - ISO 38500 — Why Another Standard? . April 2011 article, accessed September 6, 2014.