What is COBIT?
COBIT (Control Objectives for Information and Related Technologies) is a framework developed by ISACA for IT governance and management. First published in 1996, COBIT provides organisations with a comprehensive set of tools, models and best practices to bridge the gap between business requirements, technical issues and control risks. It is the leading framework used by IT auditors, governance professionals and CISOs worldwide to align IT strategy with business objectives.
Unlike security-focused frameworks such as ISO 27001 or NIST CSF, COBIT takes a broader governance perspective — it addresses how IT should be directed and controlled at the board and executive level, not just how it should be technically secured.
What is COBIT 2019?
COBIT 2019, released in November 2018, is the most significant evolution of the framework since COBIT 5 in 2012. It introduced a more flexible, customisable design principles approach and added design factors that allow organisations to tailor the framework to their specific context — industry, size, risk profile, compliance requirements and strategic goals.
COBIT 2019 is built on six principles and organises governance and management objectives into a performance management system that allows organisations to measure and improve IT governance maturity over time.
| Standard Body | ISACA — Information Systems Audit and Control Association |
| Current Version | COBIT 2019 (released November 2018) |
| Mandatory or Voluntary | Voluntary |
| Geography | Global |
| Primary audience | IT governance professionals, CISOs, CIOs, IT auditors, board members |
| Official Resource | isaca.org/resources/cobit |
The Six COBIT 2019 Principles
COBIT 2019 is built on six core principles that guide how organisations should approach IT governance and management.
| # | Principle | What it means |
|---|---|---|
| 1 | Provide stakeholder value | Every IT governance activity should create value for stakeholders — balancing benefits realisation, risk optimisation and resource optimisation |
| 2 | Holistic approach | Governance requires a complete system of components that work together — people, processes, organisational structures, information, services and infrastructure |
| 3 | Dynamic governance system | The governance system must adapt when design factors change — it is not static but evolves with the organisation and its environment |
| 4 | Governance distinct from management | Governance (evaluate, direct, monitor) is the responsibility of the board. Management (plan, build, run, monitor) is the responsibility of executive management. These must not be confused. |
| 5 | Tailored to enterprise needs | COBIT 2019 is not one-size-fits-all — design factors allow organisations to customise the framework to their specific context, risk profile and objectives |
| 6 | End-to-end governance system | COBIT covers governance of enterprise IT end-to-end — including internal and external IT services, and all technology regardless of where it resides |
Governance vs Management in COBIT
One of COBIT’s most important contributions is the clear distinction between governance and management — two concepts that are frequently confused in practice.
| Domain | Responsibility | COBIT activities | Objectives |
|---|---|---|---|
| Governance | Board and executives | Evaluate · Direct · Monitor (EDM) | 5 objectives covering governance framework, benefits delivery, risk optimisation, resource optimisation and stakeholder transparency |
| Management | CIO and management | Plan · Build · Run · Monitor (PBRM) | 35 objectives across four domains — APO, BAI, DSS and MEA |
The 40 Governance and Management Objectives
COBIT 2019 organises all governance and management activities into 40 objectives across five domains.
| Code | Domain | Objectives | Focus |
|---|---|---|---|
| GOVERNANCE DOMAIN | |||
| EDM | Evaluate, Direct and Monitor | 5 | Governance framework, benefits delivery, risk optimisation, resource optimisation, stakeholder engagement |
| MANAGEMENT DOMAINS | |||
| APO | Align, Plan and Organise | 14 | IT strategy, enterprise architecture, innovation, portfolio management, budget, workforce, relationships, security, risk, data, quality |
| BAI | Build, Acquire and Implement | 11 | Programme management, requirements, solutions identification, availability and capacity, change management, IT changes, configuration, knowledge, assets |
| DSS | Deliver, Service and Support | 6 | Operations, service requests and incidents, problems, continuity, security services, business process controls |
| MEA | Monitor, Evaluate and Assess | 4 | Performance and conformance monitoring, internal control system, compliance with external requirements, assurance |
COBIT 2019 vs COBIT 5 — Key Changes
| Area | COBIT 5 | COBIT 2019 |
|---|---|---|
| Design approach | Fixed framework | Flexible — design factors allow customisation |
| Principles | 5 principles | 6 principles |
| Objectives | 37 processes | 40 governance and management objectives |
| Performance management | PAM based on ISO 15504 | New performance management system with capability levels 0–5 |
| Focus areas | Not included | New focus areas for emerging topics — DevOps, cloud, cybersecurity, digital transformation |
| Open source | Not available | Core content available free at isaca.org |
Securitora Assessment
COBIT 2019 is the right framework for organisations that need to align IT governance with business strategy — particularly in regulated industries where boards and audit committees demand structured oversight of IT risk. It is less focused on technical security controls than ISO 27001 or NIST CSF, and more focused on governance structures, accountability and performance management. For most organisations, COBIT works best as a complement to a technical security framework rather than a standalone solution. The CISA and CISM certifications from ISACA both draw heavily on COBIT principles.
| Recommended for | IT governance professionals, CIOs, audit committees, regulated industries requiring formal IT governance |
| Difficulty to implement | Medium — conceptually complex but flexible design factors make tailoring straightforward |
| Best used with | ISO 27001 · NIST CSF 2.0 · ITIL 4 (for service management) |
| Official resource | isaca.org/resources/cobit → |