The alphabet soup of cybersecurity includes standards and regulations such as ISO, COBIT, COSO, NIST, NY DFS, and GDPR. While some industries must meet regulatory compliance requirements, other businesses must choose a standard to align their cybersecurity controls.
With that in mind, select the most user-friendly information technology security standard to help management and your IT department create a risk-based program.
The Control Objectives for Information and Related Technologies (COBIT) 5, created by the Information Systems Audit and Control Association (ISACA), allows you to focus on essential business goals, operations, and integrations to strengthen control environments by bringing all IT functions under one umbrella.
However, ISACA updated COBIT 5 for 2019, meaning you need to consider how you plan to align with the updated standard.
Why is the COBIT Framework Important?
The COBIT framework aims to create a common language for IT professionals, business leaders, and compliance auditors to communicate about IT controls, goals, objectives, and outcomes.
Without a single language, a company under audit risks must educate various auditors on when, when, how, and why specific IT controls were implemented.
The Five Principles of COBIT
COBIT 5 is founded on five concepts that are critical for the successful management and control of business IT:
- Principle 1: Meeting Stakeholder Needs
- Principle 2: Providing comprehensive coverage of the enterprise
- Principle 3: Implementing a unified framework
- Principle 4: Enabling a comprehensive approach
- Principle 5: Separating governance and management.
These five principles allow an organization to create a comprehensive IT governance framework based on seven ‘enablers’:
- People, Policies, and Frameworks
- Business Processes
- Organizational structures
- Culture, Ethics, and Behavior
- Information Services, Infrastructure, and Applications.
- People, Skills, and Competencies
Together, the principles and enablers enable an organization to align its IT investments with its objectives to maximize the value of those investments.
How do I prepare for a COBIT audit?
When approaching a COBIT audit, there are five standard procedures to take.
Step 1: Align Internal Controls.
The initial phase is control mapping. Auditors use this stage to match the organization’s internal controls with the required controls in the COBIT framework. In the best-case situation, management has already undertaken the control alignment, but this activity is frequently not finished before the audit.
Step 2: Perform a Gap Analysis.
The control alignment produces a list of internal controls compared to expected controls. Auditors use the design test to uncover cracks in the internal control environment, such as missing or poorly designed controls.
Step 3: Document Control Design Gaps and Gather Action Plans.
Audit discusses the gaps with management, who implement corrective action plans to close the vulnerability. The audit team will begin testing as management creates new controls.
Step 4: Test control Effectiveness and Gather Action Plans.
The next phase is control effectiveness testing, where auditors are most familiar and experienced.
Step 5: Monitor mitigation Efforts.
After testing, the final stage is to track the success of the IT management’s corrective action plans. Corrective action plans may be time-sensitive depending on the framework’s use case.
Why choose COBIT 2019?
With a focus on risk management, COBIT 2019 worked across many of the most used standards to create universal “best practices” for building controls. ISACA recognized the way businesses increasingly incorporate vendors into their data ecosystems. As such, they aligned COBIT 5 to ITIL, ISO 2000 and 27000 series, and Project Management Institute (PMI) frameworks to ease the burden of working with multiple standards.
With COBIT 2019, you’re focusing on both IT and enterprise-level risks. At its core, COBIT 2019 updates COBIT 5 to make it more flexible and focus on individual organizational needs.
What stayed the same from COBIT 5 to COBIT 2019?
COBIT 5 maintained that governance and management of IT were separate entities. COBIT 2019 retains this focus.
Management and Governance
Governance incorporates stakeholder needs, prioritization in decision-making, and measuring performance and compliance.
The management process incorporates planning, building, running, and monitoring activities to ensure they align with the governance standards and meet enterprise IT objectives.
The domains of governing and managing IT risk remain the same as before.
- Evaluate strategic options
- Direct chosen options
- Monitor strategy achievement
- Organize strategy and supporting activities for IT
- Define, acquire, and implement IT solutions
- Deliver IT and support IT services
- Monitor performance and conformance of IT
Although the terminology may differ, all process objectives kept the same format. Thus, every governance or management objective still provides metrics and suggested activities.
What is new to COBIT 2019?
While COBIT 5 focused on five core principles that appeared to be distinct, COBIT 2019 looks at how these principles integrate. Each component, now called “Core Processes,” incorporates how to set up the controls and the different governance needs. Thus, rather than having two separate sections that users need to integrate on their own, COBIT 2019 focuses on providing a list that starts with objectives and then drills down to how to set those up within the IT environment as well as how to align them to skill and culture within your company.
COBIT 2019 changes several terms while keeping the fundamental principles in place. “Enablers” are now “Components of the Governance System.” “IT Related Goals” are now called “Alignment Goals.” “Process Guidance” is changed to “Governance/Management Objectives” to reinforce the integration of the various components.
New Management Objectives
COBIT 2019 added APO14- Managed Data, BAI11 – Managed Projects, and MEA04 – Managed Assurance
Integration of governance and management
- COBIT 2019 establishes a “goals cascade” that starts with stakeholder drivers and needs and ends with governance and management objectives.
- Objectives increased from 37 to 40
- Changes the term “enablers” to “components.”
- Relates components to both governance and management
Additional guidance for governance components
By promoting integration between governance and management, the alignments for processes now incorporate guidance for each governance component, which focuses on establishing “capability levels” for each activity.
Four Focus Areas
COBIT 5 created “enabling” processes. COBIT 2019 changes these to create four focus areas: DevOps, Small and Medium Enterprises, Risk, and Information Security.
To govern an IT program effectively, you need to know how information flows across the enterprise. COBIT 2019 enables this by providing a clear list of what needs to be done and how that needs to be communicated using the terms “input” and “output.”
Tailored Agile Approach
COBIT 2019 recognizes organizations’ continuous monitoring needs. Thus, it created a new process for ongoing improvements. While governance continues to ask business operations and enablement questions, management must design and execute plans and review effectiveness to determine benefits. As part of this, change enablement takes on a more decisive role, incorporating a continuous improvement cycle.
A COBIT 2019 Audit Checklist
- Define stakeholder (internal and external)
- Define stakeholder needs
- Create a defined organizational structure
- Ensure appropriate responsibility and accountability are listed within the structure.
- Review people, skills, and competencies
- Update access and authorization based on role, skills, and need
- Create a defined organizational structure
- Define enterprise goals
- Create a code of culture, ethics, and behavior
- Define alignment goals for the management of IT
- Establish a list of IT processes
- Determine lines of communication between internal and external stakeholders.
- Establish governance and management objectives
- Set principles, policies, and procedures for management to follow
- Engage in risk analysis over services, infrastructure, and applications
- Determine drivers
- Initiate program
- Define internal controls
- Review the current risk profile and controls
- Establish an implementation team across enterprise stakeholders
- Determine effective controls
- Review weak controls
- Determine future
- Identify key stakeholders and define roles
- Determine vendor service levels and create service level agreements that define controls.
- Communicate outcome
- Determine next steps
- Plan program
- Execute plan
- Operate and use
- Review performance
- Establish key performance indicators
- Review performance and adjust accordingly
- Continuously monitor control effectiveness
- Recognize the need for changes
- Assess current and changing risks to the IT environment
- Define controls
- Build improvements
- Implement improvements
- Measure control effectiveness
- Evaluate IT security risk based on monitoring
How ZenGRC Enables COBIT 2019 Compliance
Since COBIT 2019 begins with COBIT 5 and expands upon it, much of your current program will remain the same. However, the new focus on communication across the enterprise means you need additional enablements to manage workflows and information flows.
ZenGRC provides task prioritization that helps you track compliance activities that reduce vulnerabilities by scheduling reviews and monitoring completion dates.
As a single-source-of-information, the platform stores and supports remediation activities to prove your continuous compliance and continuous auditing approach to information security.
Using our intuitive interface, you can easily upload frameworks, objectives, and controls while managing changes to those controls across various control frameworks.
For more information on how ZenGRC can enable your compliance efforts, contact us for a demo.