Guide to COBIT Best Practices

Written by
Published 10/18/2018
COBIT 2019 audit

Established by the Information Systems and Audit Control Association (ISACA), the Control Objectives for Information and Related Technologies (COBIT) framework provides a framework for organizing enterprise IT management. Aligning your security-first information security compliance initiatives to COBIT best practices enables organizations to maintain a continuous risk management program.

COBIT Best Practices

Who is ISACA?

Initially founded in 1969, ISACA creates globally recognized IT certifications and develops auditing control guidances. Boasting its COBIT 5 as the only business framework for IT, ISACA formed an IT Governance Institute (ITGI) that focuses on researching and publishing resources that provide updated guidance and benchmarks for maintaining up-to-date information security controls.

What is COBIT 5?

COBIT 5 provides an IT framework which incorporates ISACA’s proprietary Val IT, Risk IT,  and Information Technology Infrastructure Library (ITIL) with relevant standards produced by the Internation Organization for Standardization (ISO).

By combining these elements, COBIT 5 offers an overarching cybersecurity program for enterprise IT governance.

Who uses COBIT 5?

COBIT 5 provides any organization a way to evaluate and defend data as part of its business processes. With a goal of enabling commercial, non-profit, and public sector companies, COBIT focuses on providing guidance for providing quality, reliablity, and control of information and related technology.

ISACA notes on its COBIT 5 resource page that key users include audit and assurance, compliance, IT operations, governance, and security and risk management executives and consultants.

Why should I choose COBIT 5?

COBIT 5 allows you to align many of your current controls with a variety of other standards and regulatory compliance requirements. For example, organizations that need to comply with the COSO Framework can use COBIT 5 as a way to define and measure IT control effefctiveness.

Moreover, COBIT 5 defines five maturity models that help you determine where you are on the road to complete compliance.

  • Level 0: Non-existent

No current process in place

  • Level 1: Initial/Ad Hoc

 No standardized process in place

  • Level 2: Repeatable but Intuitive

Procedures exist but require highly knowledgable individuals and little standardization exists.

  • Level 3: Defined Process

Standardized procedures exist but remain unsophisticated.

  • Level 4: Managed and Measurable

Standardized procedures include key performance indicators and error detection methods

  • Level 5: Optimized

Refined, standardized processes exist and maintain strong practice levels that reduce variances

By measuring your cybersecurity protections against the COBIT 5 maturity models, you can review the work you’ve done and compare it to the work that you need to do.

How to use the COBIT framework five principles to creating best practices

ISACA based COBIT 5 on five fundamental principles. These five guiding principles underlie COBIT 5’s approach to information management and governance. By aligning your IT processes and internal controls based on these high-level principles, you can establish an enterprise approach consistent with your business objectives.

Principle 1: Meet Stakeholder Needs

ISACA recognizes that your enterprise has a variety of stakeholder with different, and soemtimes conflicting, needs. For example, your marketing department needs to use social media to build your brand voice. However, social media third party applications provide and often ignored data threat that your IT department needs to mitigate.

Best Practices:

  • Define relevant and tangible goals
  • Define levels of responsiblity
  • Identify and communicate enablers’ importance

Principle 2: Cover the Enterprise End-to-End

Information governance and management needs to a part of enterprise IT governance but also needs to include all other information and related technology. All members of your organization need to be aware of the information assets that enable their business objectives.

Best Practices:

  • Define goverance enablers
  • Define governance scope
  • Assign roles and activities to the relationshps

Principle 3: Apply a Single Integrated Framework

COBIT 5 aligns to a variety of frameworks – risk management and IT related – to enable a unified approach to data management. From the enterprise managemetn perspective, it draws from COSO, COSO ERM, ISO/IEC 9000, and ISO/IEC 31000. As related specifically to IT, COBIT 5 focuses on bringing together ISO/IEC 38500, ITIL, ISO/IEC 27000 series, TOGAF, PMBOK/PRINCE2, and CMMI.

Best Practices:

  • Review the standards related to your organization
  • Engage in the appropriate risk identification
  • Ensure COBIT 5 aligns to overarching enterprise goals

Principle 4: Enable a Holistic Approach

As part of creating a holistic approach to information governance, COBIT focuses on aggregating the factors that individually and collectively influence meeting objectives. Principles, policies, and frameworks tie together the processes, organizational structures, and corporate ethical culture to information, services/infrastructures/applications, and people/skills/competencies.

Best Practices:

  • Outline practices and activities that achieve objecteves
  • Define key decision-making entities
  • Define the behaviors, of individuals and the organization, that are most important
  • Establish the policies derived from principles and frameworks to guide day-to-day practices
  • Review all information used by the organization to enable business operations or are part of services provided
  • Incorporate infrastructure, technology, and application that enable business operations and processes
  • Define roles based on individuals’ skills and competencies to complete activities, make decision, and take corrective actions.

Principle 5: Separate Governance from Management

Governance involves evaluating, directing, and monitoring the information management program. Management involves planning, building, running, and monitoring the daily activities.  The Board of Directors is responsible for governance while executive management, led by the CEO, is responsible for management. Although the COBIT framework incorporates five domains and 37 processes, the high level overview provides an outline of steps organizations can take to separate governance and management.

Best Practices for Governance:

  • Create enterprise guiding principles
  • Establish decicsion-making model
  • Create authoirty levels
  • Review enterprise governance communications
  • Recieve feedback on governance effectiveness and performance

Best Practices for Management

  • Comminucate ground rules
  • Establish IT-related policies
  • Communicate IT objectives
  • Suggest process improvement opportunities
  • Create a communications package
  • Establish quality management standards
  • Establish a process for measuring quality of service goals and metrics
  • Continually review and improve good practices
  • Establish quality review benchmark results
  • Establish monitoring targets
  • Review performance reports
  • Define remedial actions
  • Assign responsibility for remdial actions
  • Establish and review internal control monitoring
  • Review benchmarks and evaluations
  • Create self-assessment plans and criteria
  • Review self-assessment results
  • Locate and review control deficiencies
  • Create and review assurance plans and their results
  • Communicate new compliance requirements

How ZenGRC Enables Enterprise Level Compliance

COBIT 5 uses a language reminiscent of project management to better align business leaders to IT princples. Incorporating terms such as value creation, stakeholders, strategic objectives, and stakeholder management help bridge the gap between the IT department, management, and the Board of Directors.

However, the way in which COBIT 5 focuses on stakeholder communication. Moreover, it’s first principle focuses specifically on the variety of stakeholders involved in the process. Therefore, if you’re looking to be COBIT compliant you need to make an IT investment that helps you manage communications between your stakeholders.

ZenGRC provides task prioritization that help let you track compliance activities that reduce vulnerabilities by scheduling reviews and monitoring their completion dates.

As a single-source-of-information, the platform stores and supports remediation activities to prove your continuous compliance and continuous auditing approach to information security.

By using our intuitive interface, you can easily upload frameworks, objectives, and controls while also managing changes to those controls across a variety of frameworks.

For more information on how ZenGRC can enable your compliance efforts, contact us for a demo.