Header Ads Widget

Responsive Advertisement

Implementing COBIT 2019 to Improve the Enterprise IT Governance System

Amadou Lamine DIOUF avril 27, 2025

 Table of Contents

  • 1. Introduction: COBIT 2019 and the Importance of I&T Governance

    2. The COBIT 2019 Framework: Key Publications and Structure

  • 3. Governance and Management Objectives: The Core of the Model

    4. The Components of the Governance System

    5. Tailoring the Governance System: Design Factors

    6. The COBIT 2019 Implementation Lifecycle

    7. Relationship with Other Frameworks and Standards

    8. Benefits of Using COBIT 2019

    9. Application Examples from Sources

    10. Conclusion: Towards Effective and Tailored I&T Governance

1. Introduction: COBIT 2019 and the Importance of I&T Governance

In the current context of digital transformation, information and technology (I&T) have become crucial for the support, sustainability, and growth of enterprises. The governance of digital information faces major challenges, such as the rise of AI, cybersecurity, budgetary constraints, and digital responsibility. Cyber threats represent a significant and pervasive risk to systems and networks. Chief Information Officers (CIOs) see their role evolving, requiring them to drive innovation while securing increasingly complex technological infrastructures. Facing these challenges, effective information and technology governance is essential.

COBIT (Control Objectives for Information and Related Technologies) is a framework created by ISACA for the governance and management of enterprise information and technology (I&T). COBIT 2019 is the latest version of this framework, long awaited since the publication of COBIT 5 in 2012. It continues to assert itself as a generally accepted framework for I&T governance. This new version covers the entire enterprise, meaning all the technology and information processing an enterprise uses to achieve its goals. Enterprise I&T is not limited to the IT department but certainly includes it. COBIT 2019 is designed to help organizations align IT strategies with business goals, ensuring value creation, risk management, and resource optimisation. It is the most comprehensive framework for the governance and management of information and technology (I&T).

2. The COBIT 2019 Framework: Key Publications and Structure

COBIT 2019 is based on four key publications. The first, "Framework: Introduction and Methodology," describes the structure of the overall framework. The second, "Framework: Governance and Management Objectives," describes in detail the core model and its 40 governance and management objectives. These first two publications are available for free download from the ISACA website.

The next two publications are the "COBIT 2019 Design Guide" and the "COBIT 2019 Implementation Guide". These guides are free for ISACA members only. The "Design Guide" explains how to use COBIT in a practical way, offering prescriptive how-to information for tailoring a governance system to the enterprise's unique circumstances and context. It defines and lists various design factors and describes the potential impact these factors have on the implementation of a governance system. The "Implementation Guide" is an updated version of the COBIT 5 Implementation Guide, taking a similar approach to implementation but incorporating the new terminology and concepts of COBIT 2019, including the design factors. Combined, these guides make COBIT implementation more practical and custom-tailored.

One of the improvements in COBIT 2019 is its greater flexibility and openness. An "open source" type model is envisioned to allow the global governance community to contribute to future updates.

3. Governance and Management Objectives: The Core of the Model

The governance and management objectives, totaling 40 (compared to 37 processes in COBIT 5), constitute the core of COBIT 2019. They are described in detail in the "Framework: Governance and Management Objectives" publication. Each objective includes its description, purpose, connection with enterprise and alignment goals, along with sample metrics.

An example objective is APO13 – Managed security. Another is APO01 – Design the management system for enterprise I&T. Each governance and management objective, or process, is clearly described using the governance components.

The "goals cascade" is a method used to identify the applicable IT governance and management objectives for an enterprise.

4. The Components of the Governance System

To achieve their governance and management objectives, enterprises must put in place a governance system based on a number of components. These components are factors that, individually and collectively, contribute to the proper functioning of the enterprise's governance system over I&T. In COBIT 5, they were called "enablers". While this enabler concept was much liked, it was very difficult to implement in an enterprise. These components now constitute a key element of the COBIT 2019 framework, based on their link with governance and management objectives.

COBIT defines the components to build and sustain a governance system:

  • Processes: It is through the process that each governance or management objective is achieved. The "Process" component includes a set of management practices, example metrics, and activities, along with related guidance. Each activity is now assigned to a capability level, based on a CMMI-inspired approach. Related good practices frameworks now appear for EACH of the governance components, not just at the process level as in COBIT 5.
  • Organizational Structures: This component provides guidance on organizational roles and structures. COBIT 2019 suggests only Accountability and Responsibility roles. The Consulted and Informed roles from COBIT 5 are no longer included in the new guides because they depend significantly on the organization's context and priorities. Enterprises must examine and update roles and organizational structures based on their context. The model presents, for each objective, the key organizational structures and their level of participation (Accountable, Responsible, Consulted, Informed).
  • Information Flows and Items: This governance component provides guidance on information flows and items related to process practices. Each practice includes inputs and outputs, indicating origin and destination. Information itself is also a component.
  • People, Skills and Competencies: This component identifies the required skills and competencies. It provides skill-related guidance, often with detailed references to frameworks like Skills Framework for the Information Age (SFIA) or e-Competence Framework (e-CF).
  • Culture, Ethics and Behavior: This essential component identifies the behaviours and cultural aspects of the people involved in achieving the objective. It includes key culture elements, sometimes with references to standards.
  • Policies and Procedures: This component provides guidance on relevant policies and procedures. For example, it may suggest a performance measurement policy based on the balanced scorecard.
  • Services, Infrastructure and Applications: This component identifies third-party services, infrastructure types, and application categories that can support achieving an objective. The instructions are generic. This component also includes references to relevant support tools.

Detailed information about each component relevant to each governance and management objective is included in the "Governance and Management Objectives" publication.

5. Tailoring the Governance System: Design Factors

COBIT 2019 places a strong emphasis on tailoring. Enterprises have unique circumstances and contexts that influence the design of their governance system. This is where "design factors" come into play. The "COBIT 2019 Design Guide" defines these design factors and provides a workflow for creating a "right-sized" design for the governance system. The introduction of design factors allows for suggesting good practices to adapt a governance system to enterprise needs. They have a potential impact on implementation.

6. The COBIT 2019 Implementation Lifecycle

Implementing an I&T governance solution is a journey that must be managed as a programme. The "COBIT 2019 Implementation Guide" provides guidance for this journey.

Challenges and Success Factors

Governance implementation can fail if challenges are not managed properly. To succeed, governance programmes must be sponsored by executive management, scoped correctly, and set achievable objectives. The recommended approach involves empowering business and IT stakeholders to take ownership of governance and management decisions. The guide covers implementation challenges and success factors.

Phases in the Change Enablement Life Cycle

The implementation guide also discusses organisational and behavioural change related to EGIT (Enterprise Governance of I&T). It outlines a life cycle for change enablement, divided into phases:

  • Phase 1 - Stirring Desire to Transform.
  • Phase 2 - Assembling Implementation Team.
  • Phase 3 - Articulating Vision.
  • Phase 4 - Empowering Change Agents and Identifying Quick Wins.
  • Phase 5 - Enabling Operations and Usage.
  • Phase 6 - Embedding New Approaches.
  • Phase 7 - Sustaining Momentum.

The programme is considered closed when it generates measurable benefits and becomes embedded in ongoing business activity.

Building Upon Existing Approaches

Determining the starting point is crucial. Most organisations already have some EGIT structures or processes in place. The focus should be on building upon these existing approaches rather than creating something new. Any previous improvements made using COBIT 5 or other standards can be enhanced by COBIT 2019 as part of ongoing improvement. The guide allows users to customise COBIT guidance for their specific context.

7. Relationship with Other Frameworks and Standards

COBIT 2019 is designed to align with other standards, frameworks, and best practices. It provides detailed references to applicable standards, frameworks, and compliance requirements for each governance item. These references are provided at the component level, differing from COBIT 5 where they applied only at the process level.

The sources mention relationships with several other frameworks and standards:

  • ISO/IEC 27001 (Information Security Management) and ISO/IEC 38500 (Governance of IT) are explicitly mentioned as mappable to COBIT 2019 to help develop a governance strategy.
  • ITIL (Information Technology Infrastructure Library) is referenced, for example, in relation to Service Catalogue Management (APO09.02).
  • The Balanced Scorecard (BSC) is mentioned as a performance measurement system that translates strategy into action, taking into account intangibles like customer satisfaction, process efficiency, etc., and is linked to the performance measurement policy in COBIT.
  • The CMMI framework (Capability Maturity Model Integration) inspired the process capability analysis approach in COBIT 2019, where process activities are assigned to capability levels.
  • Competency frameworks like SFIA and e-CF are referenced for the "People, Skills and Competencies" component.
  • COSO Enterprise Risk Management is referenced in relation to Organisational Structures.
  • National Institute of Standards and Technology Special Publication 800-53 is referenced for Managed Projects (BAI11).

8. Benefits of Using COBIT 2019

Using COBIT 2019 offers several benefits for enterprises:

  • Strategic alignment and value creation: It helps align I&T strategies with business goals and realise benefits.
  • Risk management and resource optimisation: It supports the management of I&T-related risks and the optimal use of resources.
  • Comprehensive and integrated approach: COBIT 2019 is the most comprehensive framework for I&T governance and management. It covers all necessary components for an effective governance system.
  • Flexibility and custom tailoring: Thanks to design factors and the Design Guide, COBIT 2019 allows for creating a governance system tailored to the enterprise's specific needs. This enhances its relevance over time.
  • Continual improvement: The framework supports the continual improvement of the governance system.
  • Generally accepted framework: It continues to establish itself as a recognized reference framework.

9. Application Examples from Sources

The sources mention use cases and applications of COBIT 2019:

  • Research studied the implementation of COBIT 2019 at PT. Pelindo TPK Bitung to improve IT governance, indicating significant success in reaching a capability level 3. The study utilised the COBIT 2019 Design Toolkit.
  • COBIT is presented as a robust, adaptable solution for effective Artificial Intelligence (AI) system governance and management.
  • The Design Guide offers recommended workflows for creating a right-sized governance system.
  • The Implementation Guide aims to provide a guide for avoiding pitfalls and leveraging best practices.

These examples show that COBIT 2019 is applied in various contexts to structure and improve I&T governance.

10. Conclusion: Towards Effective and Tailored I&T Governance

COBIT 2019 is a robust and comprehensive framework for the governance and management of enterprise information and technology across the entire enterprise. It provides a clear structure based on 40 governance and management objectives and seven key components. Its strength lies in its ability to be tailored to each enterprise's unique context through the use of design factors and the guidance provided in the Design Guide. The Implementation Guide offers a roadmap for putting it into practice, covering the change life cycle and encouraging building upon existing EGIT structures.

By focusing on the applicable objectives identified via the goals cascade and implementing the corresponding components, enterprises can significantly improve their I&T governance system. COBIT 2019's more prescriptive approach and its updated alignment with other standards make it a powerful tool for addressing the challenges of digital transformation and ensuring effective, secure, and value-creating governance. Implementation requires an understanding of the enterprise context and a certain level of experience, but ISACA's official guides are designed to support professionals on this journey.

Amadou Lamine Diouf
Expert Consultant | Trainer | Information Systems Auditor

🌐 Website: www.truetechnologie.com
📧 Email: lamine.diouf@truetechnologie.com
📞 Phone: +221 77 856 27 66

Enregistrer un commentaire

0 Commentaires