The alphabet soup of cybersecurity includes standards and regulations such as ISO, COBIT, COSO, NIST, NY DFS, and GDPR. While some industries must meet regulatory compliance requirements, other businesses need to choose a standard to which they align their cybersecurity controls. With that in mind, you may want to select the most user-friendly information technology security standard to help management and your IT department create a risk-based program. COBIT 5, created by ISACA, allows you to focus on essential business operations and integrations to strengthen control environments by bringing all IT functions under one umbrella. However, ISACA updated COBIT 5 for 2019 meaning you need to think about how you plan to align with the updated standard.

Checklist for COBIT 2019 Audit

Why choose COBIT 2019?

With a focus on risk, COBIT 2019 worked across many of the most used standards to create a universal “best practices” for building controls. ISACA recognized the way businesses increasingly incorporate vendors into their data ecosystems. As such, they aligned COBIT 5 to ITIL, ISO 2000 and 27000 series, and Project Management Institute (PMI) frameworks to ease the burden of working with multiple standards.

With COBIT 2019, you’re focusing on both IT and enterprise level risks. At its core, COBIT 2019 updates COBIT 5 to make it more flexible and focus on individual, organizational needs.

What stayed the same from COBIT 5 to COBIT 2019

COBIT 5 maintained that governance and management of IT were separate entities. COBIT 2019 retains this focus.

Management and Governance

Governance incorporates stakeholder needs, prioritization in decision making, and measuring performance and compliance.

The management process incorporates planning, building, running, and monitoring activities to ensure that they align with the governance standards and meet enterprise objectives.

The domains over governing and managing IT risk remain the same as before.

Governance

• Evaluate strategic options
• Direct chosen options
• Monitor strategy achievement

Management

• Organize strategy and supporting activities for IT
• Define, acquire, and implement IT solutions
• Deliver IT  and support IT services
• Monitor performance and conformance of IT

Processes

Although the terminology may be different, all process objectives kept the same format. Thus, every governance or management objective still provides metrics and suggested activities.

What is new to COBIT 2019

While COBIT 5 focused on five core principles that appeared to be distinct from one another, COBIT 2019 looks at the way these principles integrate. Each component, now called “Core Processes,” incorporate how to set up the controls as well as the different governance needs. Thus, rather than having two separate sections that users need to integrate on their own, COBIT 2019 focuses on providing a list that starts with objectives and then drills down to how to set those up within the IT environment as well as how to align them to skill and culture within your company.

Terminology Changes

COBIT 2019 changes several terms while keeping the fundamental principles in place. “Enablers” are now “Components of the Governance System.” “IT Related Goals” are now called “Alignment Goals.” “Process Guidance” is changed to “Governance/Management Objectives” to reinforce the integration of the various components.

New Management Objectives

COBIT 2019 added APO14- Managed Data, BAI11 – Managed Projects, and MEA04 – Managed Assurance

Integration of governance and management

1. COBIT 2019 establishes a “goals cascade” that starts with stakeholder drivers and needs and ends with governance and management objectives.
2. Objectives increased from 37 to 40
3. Changes the term “enablers” to “components.”
4. Clearly relates components to both governance and management

Additional guidance for governance components

By promoting integration between governance and management, the alignments for processes now incorporate guidance for each governance component which focuses on establishing “capability levels” for each activity.

Four Focus Areas

Cobit 5 created “enabling” processes. COBIT 2019 changes these to create four focus areas: DevOps, Small and Medium Enterprises, Risk, Information Security.

Increased communication

To effectively govern an IT program, you need to know how information flows across the enterprise. COBIT 2019 enables this by providing you with a clear list of what needs to be done and how that needs to be communicated using the terms “input” and “output.”

Tailored Agile Approach

COBIT 2019 recognizes organizations’ continuous monitoring needs. Thus, it created a new process for ongoing improvements. While governance continues to ask business operations and enablement questions, management must not only design and execute plans but review effectiveness to determine benefits. As part of this, change enablement takes on a stronger role, incorporating a continuous improvement cycle.

A COBIT 2019 Audit Checklist

Board Governance

• Define stakeholder (internal and external)
• Define stakeholder needs
  • Create a defined organizational structure
    • Ensure appropriate responsibility and accountability listed within the structure
  • Review people, skills, and competencies
    • Update access and authorization based on role, skills, and need
• Define enterprise goals
  • Create a code of culture, ethics, and behavior
• Define alignment goals for management of IT
  • Establish a list of processes
  • Determine lines of communication between internal and external stakeholder
• Establish governance and management objectives
  • Set principles, policies, and procedures for management to follow
  • Engage in risk analysis over services, infrastructure, and applications

Senior Management

• Determine drivers
  • Initiate program
  • Define internal controls
• Review the current risk profile and controls
  • Establish an implementation team across enterprise stakeholders
  • Determine effective controls
  • Review weak controls
• Determine future
  • Identify key stakeholders and define roles
  • Determine vendor service levels and create service level agreements that define controls
  • Communicate outcome
• Determine next steps
  • Plan program
  • Execute plan
  • Operate and use
• Review performance
  • Establish key performance indicators
  • Review performance and adjust accordingly

IT Department

• Continuously monitor control effectiveness
  • Recognize the need for changes
• Assess current and changing risks to IT environment
• Define controls
• Build improvements
• Implement improvements
• Measure control effectiveness
• Evaluate IT security risk based on monitoring

How ZenGRC Enables COBIT 2019 Compliance

Since COBIT 2019 begins with COBIT 5 and expands upon it, much of your current program will remain the same. However, the new focus on communication across the enterprise means you need to have additional enablements that manage workflows and information flows.