IT governance framework
COBIT 2019
IT governance framework

COBIT 2019

All frameworks

What it is

ISACA's framework for the governance and management of enterprise IT. Broader than security — covers value delivery, risk optimization, and resource optimization across all IT.

Who uses it

Large enterprises, especially those with mature IT governance and audit functions; common in regulated industries.

Why it matters

Often used by IT auditors and board-level IT risk reporting. A GRC analyst may map technical controls up to COBIT objectives for executive reporting.

Structure

Governance vs Management

5 Governance objectives (Evaluate-Direct-Monitor) and 35 Management objectives (Plan, Build, Run, Monitor).

Design factors

Enterprise strategy, goals, risk profile, threat landscape, compliance — used to tailor a custom COBIT design.

Performance management

Capability levels 0–5 for processes.

Terminology

EDM / APO / BAI / DSS / MEA
The five COBIT domains: Evaluate-Direct-Monitor, Align-Plan-Organise, Build-Acquire-Implement, Deliver-Service-Support, Monitor-Evaluate-Assess.
Capability level
Maturity rating for a process (Incomplete → Optimizing).

Beginner explanation

COBIT zooms out further than CSF — it covers IT as a whole (cost, value, performance), not just cybersecurity. You will see it more in audit and board-level work.

Practical examples

  • A bank uses COBIT to demonstrate to regulators that IT decisions trace back to board-approved governance objectives.

Advanced notes

COBIT 2019 introduced design factors and a focus area model, replacing the older one-size-fits-all approach of COBIT 5.