On 25 September 2018, John Lainhart passed away unexpectedly. He was a thought leader, author and contributor to COBIT
and ISACA, and he was a valued and admired colleague. This article and his thought leadership on COBIT 2019 will
be published posthumously.
The upsurge of digital transformation has made information and technology (I&T) crucial in the support, sustainability
and growth of enterprises. Whereas governing boards and senior management might once have delegated, ignored or avoided
I&T-related decisions, they know now that this approach is ill advised. It is not only digitized enterprises that
are dependent on I&T for survival and growth; stakeholder value creation (i.e., realizing benefits at an optimal
resource cost while optimizing risk) is also often driven by digitization in new business models, efficient processes
and successful innovation.
Because I&T is so integral to enterprise risk management and value generation, a specific focus on enterprise governance
of information and technology (EGIT) has arisen over the last two decades.
COBIT has reflected this focus on EGIT in its last few updates, culminating in
COBIT 5. However, a new edition of COBIT, scheduled for release in the fourth quarter of 2018, will extend and facilitate
this focus even further.
The new edition is called
COBIT 2019. No longer will COBIT updates be identified with version numbers. Instead, from now on, they will be designed
by the date of the latest update. This is in keeping with a dynamic I&T environment that generates change at such
a rapid pace that it is difficult to keep up with it. As described in this article, the new version acknowledges these
issues and addresses them by making COBIT a dynamic I&T governance framework that can be updated more rapidly, applying
user input to keep it relevant for the COBIT community.
Improving COBIT
The COBIT 2019 update improves COBIT in the following areas:
- It better addresses the importance of I&T governance for the enterprise. To achieve benefits realization, risk optimization, resource optimization, and business and IT alignment for the enterprise, an I&T governance program needs to be in place, supported by the board of directors and executive management. That governance program must be maintained on a basis that enables and encourages continuous improvement. This is a major differentiator for successful organizations.
- It addresses new trends in technology. For example, Development Operations (DevOps) and Agile development concepts are added; off-premises operations are considered; the impact of third-party providers is addressed; outsourcing activities are more thoroughly discussed; and, although not singled out, the Internet of Things (IoT) is addressed.
- It is more up to date, with latest standards and working methods. The COBIT model allows referencing and alignment to concepts originating in other sources (e.g., other IT standards, compliance regulations).
- It provides more flexibility. The addition of the COBIT Design Guide: Designing an Information and Technology Governance Solution 1 provides additional guidance for defining and using design factors, which allow COBIT content to be tailored for better alignment with each organization’s and each user’s particular context.
- It introduces focus area concepts. A focus area describes a certain governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their components. Examples include: small and medium enterprises, cybersecurity, digital transformation, and cloud computing. Focus areas can contain a combination of generic governance components and variants. The number of focus areas is virtually unlimited; new ones can be added as required or as subject matter experts and practitioners contribute. This is what makes COBIT open-ended.
- It is perceived as more prescriptive. Frameworks such as COBIT can be descriptive and prescriptive. The COBIT conceptual model is constructed and presented such that its instantiation—that is, the tailored COBIT governance components—is perceived as a prescription of how to set up a customized governance system for I&T.
- It is a better instrument to manage performance of I&T. The structure of the COBIT performance management model is integrated into the conceptual model. The maturity and capability concepts are introduced for better alignment with Capability Maturity Model Integration (CMMI).
- It supports decision-making. The key asset for all organizations is information. This information must be accurate, reliable, timely and available when needed for critical decision-making. The information is made available to all organizations through the use of technology, which must be secure and cost-effective.
What COBIT Is
The process of updating COBIT also included considerable effort to put into perspective what COBIT is and what it is not.
This article outlines each side of the equation, starting first with what it is.
COBIT 2019 can best be described as a framework for the governance and management of enterprise I&T, aimed at the
whole organization. Enterprise I&T refers to all the I&T processing the enterprise puts in place to achieve its
goals, irrespective of where this happens in the organization. In other words, enterprise I&T is not limited to the
IT department of an organization, but it certainly includes it.
COBIT 2019 defines the
components to build and sustain a governance system: processes, policies and procedures, organizational structures,
information flows, skills, infrastructure, and culture and behaviors. These were referred to as “enablers” in COBIT 5.
It also defines the design factors that should be considered by the organization to build a best-fit governance system.
It addresses governance issues by grouping relevant governance components into focus areas, which can be managed to the
required maturity levels.
What COBIT Is Not
After describing what COBIT 2019 is, it is important to define what it is not. This entails clearing up some misconceptions about COBIT, such as the following:
- COBIT 2019 is not a full description of the whole I&T environment of an organization.
- It is not a framework to organize business processes.
- It is not an (IT) technical framework to manage all technology.
- It does not make or prescribe any IT-related decisions. For example, it does not answer questions such as: What is the best IT strategy? What is the best architecture? How much should IT cost? Instead, it defines all the components that describe which decisions should be taken, and how and by whom they should be taken.
More to Come
COBIT 2019 is not a minor revision. It builds on and integrates more than 25 years of development in this field, incorporating new insights from science but also operationalizing these insights as practices. From its foundation in the IT audit community, COBIT has become a broader and more comprehensive I&T governance and management framework and continues to establish itself as a globally accepted model.
Those who are familiar with COBIT 5 will find much that is new in COBIT 2019. The update introduces several innovative concepts, or new ways of thinking about familiar concepts, that users will need to understand and adopt. A first step is defining and describing those concepts in greater detail. Subsequent articles will do exactly that, exploring some of the major changes to COBIT 2019, such as:
- I&T governance for the enterprise
- Governance and management objectives
- Focus areas
- Design factors
John Lainhart, 1946-2018, CISA, CRISC, CISM, CGEIT
Was director, Cybersecurity Strategy, Grant Thornton, Public Sector; 1984-1985 ISACA Board Chair; and led the working group that steered the development of COBIT 2019. Previously, he was the US public sector cybersecurity and privacy service area leader for IBM Global Business Services. He also served as a member of ISACA’s Framework Committee and chair of the COBIT Online Task Force.
Endnotes
1 The COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution will be available in December 2018.