How is COBIT Related to Risk Management?Published March 17, 2020 by Tricia Scherer • 3 min read
First released in 1996, Control Objectives for Information and Related Technology (COBIT) is a framework developed by the Information Systems Audit and Control Association (ISACA) that can help you create and implement strategies around IT management and IT governance.
The COBIT management framework helps you deal with the risks to enterprise IT and the impacts those risks can have on your company, business processes, and IT systems.
It’s no secret that cybercrime is increasing and hackers are always looking for new methods to infiltrate your IT systems despite whatever information security measures you have in place. That’s why risk assessment and IT risk management should be part of your organization’s information security.
Assess and manage IT risk
Assessing and managing IT risk can help your company operate more efficiently by linking information and technology risk to the achievement of its strategic objectives.
That’s where COBIT comes in. As part of creating a holistic approach to information governance, COBIT aims to help you develop, organize, and implement strategies that align your IT infrastructure with business goals. It offers different maturity models and metrics that measure how well IT is contributing to achieving these objectives.
Initially, COBIT was created as a set of information technology control objectives to help financial firms with their IT auditing. However, over the years, its applications have expanded and COBIT now covers information governance and IT management methods, including information to help with risk management.
ISACA released COBIT 4 in 2005, followed by COBIT 4.1 in 2007. These versions included more details about information technology and communication technology governance.
Holistic cybersecurity program
Released in 2012, COBIT 5 provides an IT framework that incorporates ISACA’s proprietary Val IT, Risk IT, and Information Technology Infrastructure Library (ITIL) with relevant standards produced by the International Organization for Standardization.
In addition, COBIT 5 works with the Committee of Sponsoring Organizations of the Treadway Commission (COSO) to help you create a controlled landscape and a risk and governance model to enable security to comply with regulatory requirements.
For example, if you need to comply with the COSO Framework, you can use COBIT 5 as a way to define and measure the effectiveness of your IT controls. Uniting these components, COBIT 5 offers a holistic cybersecurity program for enterprise IT governance. In addition, COBIT 5 defines five maturity models to help you determine where you are on your journey to total regulatory compliance.
Using COBIT 5, an organization can improve its IT risk-related capabilities, awareness, communication, decision making, and outcomes by giving key stakeholders an accurate, consistent, and validated assessment of the current level of IT risk and its impact on the business. Evaluating your cybersecurity protections against the COBIT 5 maturity models lets you assess the work you’ve completed and compared it to the work that you still need to finish.
IT risk is business risk
COBIT 5 for Risk characterizes IT risk as business risk, that is the business risk that’s linked to the use, ownership, operation, involvement, influence, and adoption of IT in an organization.
COBIT 5 for Risk, which leverages the COBIT 5 framework, offers guidance to help risk professionals manage risk, incorporate IT risk into enterprise risk management, and help IT and business managers understand how to identify and manage IT risk effectively.
COBIT 2019, the most recent version of the framework released in 2018, enables organizations to develop, organize, and implement more collaborative and flexible governance strategies. COBIT 2019 also addresses new and evolving technologies, trends, and requirements for businesses.
COBIT 2019 includes other frameworks, such as The Open Group Architecture Framework (TOGAF), Capability Maturity Model Integration (CMMI), and ITIL. It’s especially helpful for companies that want to use it as an overall framework linking different processes running in their organizations while focusing on risk management, governance, and security.
The COBIT framework stresses regulatory compliance, allows companies to get more value from IT, and helps align IT with the goals of the business to enable organizations to manage risk more effectively.