COBIT 2019
What it is
ISACA's framework for the governance and management of enterprise IT. Broader than security — covers value delivery, risk optimization, and resource optimization across all IT.
Who uses it
Large enterprises, especially those with mature IT governance and audit functions; common in regulated industries.
Why it matters
Often used by IT auditors and board-level IT risk reporting. A GRC analyst may map technical controls up to COBIT objectives for executive reporting.
Structure
5 Governance objectives (Evaluate-Direct-Monitor) and 35 Management objectives (Plan, Build, Run, Monitor).
Enterprise strategy, goals, risk profile, threat landscape, compliance — used to tailor a custom COBIT design.
Capability levels 0–5 for processes.
Terminology
Beginner explanation
COBIT zooms out further than CSF — it covers IT as a whole (cost, value, performance), not just cybersecurity. You will see it more in audit and board-level work.
Practical examples
- A bank uses COBIT to demonstrate to regulators that IT decisions trace back to board-approved governance objectives.
Advanced notes
COBIT 2019 introduced design factors and a focus area model, replacing the older one-size-fits-all approach of COBIT 5.