"> COBIT2019 – Page 4 – Process-Symphony – ITSM Knowledge Orchestrators

Search Knowledge

Tag: COBIT2019

IT management framework APO01 (COBIT 2019)

Parent Framework: COBIT 2019

Domain: Align Plan and Organise

Managed IT management framework

Design the management system for enterprise ICT based on enterprise goals and other design factors. Based on this design, implement all required components of the management system.


Implement a consistent management approach for enterprise governance requirements to be met, covering governance components such as management processes; organizational structures; roles and responsibilities; reliable and repeatable activities; information items; policies and procedures; skills and competencies; culture and behavior; and services, infrastructure and applications.


APO01.01 Design the management system for enterprise I&T.

Design a management system tailored to the needs of the enterprise. Management needs of the enterprise are defined through the use of the goals cascade and by application of design factors. Ensure the governance components are integrated and aligned with the enterprise’s governance and management philosophy and operating style.

APO01.02 Communicate management objectives, direction and decisions made.

Communicate awareness and promote understanding of alignment and I&T objectives to stakeholders throughout the enterprise. Communicate at regular intervals on important I&T-related decisions and their impact for the organization.

APO01.03 Implement management processes (to support the achievement of governance and management objectives).

Define target process capability levels and implementation priority based on the management system design.

APO01.04 Define and implement the organizational structures.

Put in place the required internal and extended organizational structures (e.g., committees) per the management system design, enabling effective and efficient decision making. Ensure that required technology and information knowledge is included in the composition of management structures.

APO01.05 Establish roles and responsibilities.

Define and communicate roles and responsibilities for enterprise I&T, including authority levels, responsibilities and accountability.

APO01.06 Optimize the placement of the IT function.

Position the IT capabilities in the overall organizational structure to reflect the strategic importance and operational dependency of IT within the enterprise. The reporting line of the CIO and representation of IT within senior management should be commensurate with the importance of I&T within the enterprise.

APO01.07 Define information (data) and system ownership.

Define and maintain responsibilities for ownership of information (data) and information systems. Ensure that owners classify information and systems and protect them in line with their classification.

APO01.08 Define target skills and competencies.

Define the required skills and competencies to achieve relevant management objectives.

APO01.09 Define and communicate policies and procedures.

Put in place procedures to maintain compliance with and performance measurement of policies and other components of the control framework. Enforce the consequences of noncompliance or inadequate performance. Track trends and performance and consider these in the future design and improvement of the control framework.

APO01.10 Define and implement infrastructure, services and applications to support the governance and management system.

Define and implement infrastructure, services and applications to support the governance and management system (e.g., architecture repositories, risk management system, project management tools, cost tracking tools and incident monitoring tools).

APO01.11 Manage continual improvement of the I&T management system.

Continually improve processes and other management system components to ensure that they can deliver against governance and management objectives. Consider COBIT implementation guidance, emerging standards, compliance requirements, automation opportunities and the feedback of stakeholders.


Enterprise IT governance GOVN

The establishment and oversight of an organisation’s approach to the use of Information systems and digital services, and associated technology, in line with the needs of the principal stakeholders of the organisation and overall organisational corporate governance requirements. The determination and accountability for evaluation of current and future needs; directing the planning for both supply and demand of these services; the quality, characteristics, and level of IT services; and for monitoring the conformance to obligations (including regulatory, legislation, control, and other standards) to ensure positive contribution of IT to the organisation’s goals and objectives.


IT management ITMG

The management of the IT infrastructure and resources required to plan for, develop, deliver and support IT services and products to meet the needs of a business. The preparation for new or changed services, management of the change process and the maintenance of regulatory, legal and professional standards. The management of performance of systems and services in terms of their contribution to business performance and their financial costs and sustainability. The management of bought-in services. The development of continual service improvement plans to ensure the IT infrastructure adequately supports business needs.


Innovation Management -APO 04 (COBIT 2019)

Parent Framework: COBIT 2019

Domain: Align Plan and Organise

Managed Innovation

Maintain an awareness of ICT and related service trends and monitor emerging technology trends. Proactively identify innovation opportunities and plan how to benefit from innovation in relation to business needs and the defined ICT strategy. Analyze what opportunities for business innovation or improvement can be created by emerging technologies, services or ICT-enabled business innovation; through existing established technologies; and by business and ICT process innovation. Influence strategic planning and enterprise architecture decisions


Achieve competitive advantage, business innovation, improved customer experience, and improved operational effectiveness and efficiency by exploiting I&T developments and emerging technologies


APO04.01 Create an environment conducive to innovation. Create an environment that is conducive to innovation, considering methods such as culture, reward, collaboration, technology forums, and mechanisms to promote and capture employee ideas

APO04.02 Maintain an understanding of the enterprise environment. Work with relevant stakeholders to understand their challenges. Maintain an adequate understanding of enterprise strategy, competitive environment and other constraints, so that opportunities enabled by new technologies can be identified.

APO04.03 Monitor and scan the technology environment. Set up a technology watch process to perform systematic monitoring and scanning of the enterprise’s external environment to identify emerging technologies that have the potential to create value (e.g., by realizing the enterprise strategy, optimizing costs, avoiding obsolescence, and better enabling enterprise and I&T processes). Monitor the marketplace, competitive landscape, industry sectors, and legal and regulatory trends to be able to analyze emerging technologies or innovation ideas in the enterprise context.

APO04.04 Assess the potential of emerging technologies and innovative ideas. Analyze identified emerging technologies and/or other I&T innovative suggestions to understand their business potential. Work with stakeholders to validate assumptions on the potential of new technologies and innovation.

APO04.05 Recommend appropriate further initiatives. Evaluate and monitor the results of proof-of-concept initiatives and, if favorable, generate recommendations for further initiatives. Gain stakeholder support.

APO04.06 Monitor the implementation and use of innovation. Monitor the implementation and use of emerging technologies and innovations during adoption, integration and for the full economic life cycle to ensure that the promised benefits are realized and to identify lessons learned.


The following SFIA skills are relevant to innovation:

EMRG: Emerging technology monitoring

The identification of new and emerging technologies, products, services, methods and techniques. The assessment of their relevance and the potential impacts (both threats and opportunities) upon business enablers, cost, performance or sustainability. The communication of emerging technologies and their impact.


INOV: Innovation

The capability to identify, prioritise, incubate and exploit opportunities provided by information, communication and digital technologies. To develop and implement processes, tools and infrastructures to support innovation. To involve internal and external communities, employees, commercial partners, customers, users and other stakeholders in the innovation process. To provide governance, monitoring to, and reporting on, the innovation process.


RSCH: Research

The systematic creation of new knowledge by data gathering, innovation, experimentation, evaluation and dissemination. The determination of research goals and the method by which the research will be conducted. The active participation in a community of researchers; communicating formally and informally through digital media, conferences, journals, books and seminars.



Tool NameBrightIdea
URL https://www.brightidea.com/
Value PropositionCollect, share, route, screen, evaluate, experiment, incubate, develop, track, and report on the best ideas your organization has to offer, with the most advanced innovation platform available.

Do you use this tool in organisation?  We want to hear from you!  Please rate how much this tool is leveraged to support the processes in your organisation. You do not need to identify the organisation.  

Please remember. It is not about the “potential capability” of the tool. You have to rate the actual usage within your organisation

Rating Guidelines:

  • 1 or 2: only a subset of processes are supported by the tool
  • 3:  The tool supports our needs. But we start observing some limitations.
  • 4: The tool supports our current and future needs.
  • 5: The tool supports our current and future needs. Integrates well with the eco-systems of other tools.

Monitor, Evaluate and Assess (COBIT 2019)

Parent PRF: COBIT 2019


01Managed Performance and Conformance Monitoring
02Managed System of Internal Control
03Managed Compliance With External Requirements
04Managed Assurance

MEA01: Managed Performance and Conformance Monitoring

Collect, validate and evaluate enterprise and alignment goals and metrics. Monitor that processes and practices are performing against agreed performance and conformance goals and metrics. Provide reporting that is systematic and timely.

Provide transparency of performance and conformance and drive achievement of goals.

MEA02: Managed System of Internal Control

Continuously monitor and evaluate the control environment, including self-assessments and self-awareness. Enable management to identify control deficiencies and inefficiencies and to initiate improvement actions. Plan, organize and maintain standards for internal control assessment and process control effectiveness.

Obtain transparency for key stakeholders on the adequacy of the system of internal controls and thus provide trust in operations, confidence in the achievement of enterprise objectives and an adequate understanding of residual risk.

MEA03: Managed Compliance with External Requirements

Evaluate that I&T processes and I&T-supported business processes are compliant with laws, regulations and contractual requirements. Obtain assurance that the requirements have been identified and complied with; integrate IT compliance with overall enterprise compliance.

Ensure that the enterprise is compliant with all applicable external requirements.

MEA04: Managed Assurance

Plan, scope and execute assurance initiatives to comply with internal requirements, laws, regulations and strategic objectives. Enable management to deliver adequate and sustainable assurance in the enterprise by performing independent assurance reviews and activities.

Enable the organization to design and develop efficient and effective assurance initiatives, providing guidance on planning, scoping, executing and following up on assurance reviews, using a road map based on well-accepted assurance approaches.

Deliver, Service and Support (COBIT 2019)

Parent Process Reference Framework (PRF):  COBIT

01 Managed Operations
02 Managed Service Requests and Incidents
03 Managed Problems
04 Managed Continuity
05 Managed Security Services
06 Managed Business Process Controls

DSS01: Managed Operations

Coordinate and execute the activities and operational procedures required to deliver internal and outsourced IT services. Include the execution of predefined standard operating procedures and the required monitoring activities

Deliver IT operational product and service outcomes as planned.

DSS02: Managed Service Requests and Incidents

Provide timely and effective response to user requests and resolution of all types of incidents. Restore normal service; record and fulfil user requests; and record, investigate, diagnose, escalate and resolve incidents.

Achieve increased productivity and minimize disruptions through quick resolution of user queries and incidents. Assess the impact of changes and deal with service incidents. Resolve user requests and restore service in response to incidents

DSS03: Managed Problems

Identify and classify problems and their root causes. Provide timely resolution to prevent recurring incidents. Provide recommendations for improvements.

Increase availability, improve service levels, reduce costs, improve customer convenience and satisfaction by reducing the number of operational problems, and identify root causes as part of problem resolution.

DSS04: Managed Continuity

Establish and maintain a plan to enable the business and IT organizations to respond to incidents and quickly adapt to disruptions. This will enable continued operations of critical business processes and required I&T services and maintain availability of resources, assets and information at a level acceptable to the enterprise.

Adapt rapidly, continue business operations and maintain availability of resources and information at a level acceptable to the enterprise in the event of a significant disruption (e.g., threats, opportunities, demands).

DSS05: Managed Security Services

Protect enterprise information to maintain the level of information security risk acceptable to the enterprise in accordance with the security policy. Establish and maintain information security roles and access privileges. Perform security monitoring.

Minimize the business impact of operational information security vulnerabilities and incidents.

DSS06: Managed Business Process Controls

Define and maintain appropriate business process controls to ensure that information related to and processed by in-house or outsourced business processes satisfies all relevant information control requirements. Identify the relevant information control requirements. Manage and operate adequate input, throughput and output controls (application controls) to ensure that information and information processing satisfy these requirements.

Maintain information integrity and the security of information assets handled within business processes in the enterprise or its outsourced operation.

Build, Acquire and Implement (COBIT 2019)

Parent Process Reference Framework (PRF):   COBIT

01 Managed Programs
02 Managed Requirements Definition
03 Managed Solutions Identification and Build
04 Managed Availability and Capacity
05 Managed Organisational Change
06 Managed IT Changes
07 Managed Change Acceptance and Transitioning
08 Managed Knowledge
09 Managed Assets
10 Managed Configuration
11Managed Projects

BAI01: Managed Programs

Manage all programs from the investment portfolio in alignment with enterprise strategy and in a coordinated way, based on a standard program management approach. Initiate, plan, control, and execute programs, and monitor expected value from the program.

Realize desired business value and reduce the risk of unexpected delays, costs and value erosion. To do so, improve communications to and involvement of business and end users, ensure the value and quality of program deliverables and follow up of projects within the programs, and maximize program contribution to the investment portfolio.

BAI02: Managed Requirements Definition

Identify solutions and analyze requirements before acquisition or creation to ensure that they align with enterprise strategic requirements covering business processes, applications, information/data, infrastructure and services. Coordinate the review of feasible options with affected stakeholders, including relative costs and benefits, risk analysis, and approval of requirements and proposed solutions.

Create optimal solutions that meet enterprise needs while minimizing risk.

BAI03: Managed Solutions Identification and Build

Establish and maintain identified products and services (technology, business processes and workflows) in line with enterprise requirements covering design, development, procurement/sourcing and partnering with vendors. Manage configuration, test preparation, testing, requirements management and maintenance of business processes, applications, information/data, infrastructure and services.

Ensure agile and scalable delivery of digital products and services. Establish timely and cost-effective solutions (technology, business processes and workflows) capable of supporting enterprise strategic and operational objectives.

BAI04: Managed Availability and Capacity

Balance current and future needs for availability, performance and capacity with cost-effective service provision. Include assessment of current capabilities, forecasting of future needs based on business requirements, analysis of business impacts, and assessment of risk to plan and implement actions to meet the identified requirements.

Maintain service availability, efficient management of resources and optimization of system performance through prediction of future performance and capacity requirements.

BAI05: Managed Organisational Change

Maximize the likelihood of successfully implementing sustainable enterprisewide organizational change quickly and with reduced risk. Cover the complete life cycle of the change and all affected stakeholders in the business and IT.

Prepare and commit stakeholders for business change and reduce the risk of failure.

BAI06: Managed IT Changes

Manage all changes in a controlled manner, including standard changes and emergency maintenance relating to business processes, applications and infrastructure. This includes change standards and procedures, impact assessment, prioritisation and authorisation, emergency changes, tracking, reporting, closure and documentation.

Enable fast and reliable delivery of change to the business. Mitigate the risk of negatively impacting the stability or integrity of the changed environment.

BAI07: Managed Change Acceptance and Transitioning

Formally accept and make operational new solutions, including implementation planning, system and data conversion, acceptance testing, communication, release preparation, promotion to production of new or changed business processes and IT services, early production support, and a post-implementation review.

Implement solutions safely and in line with the agreed expectations and outcomes.

BAI08: Managed Knowledge

Maintain the availability of relevant, current, validated and reliable knowledge and management information to support all process activities and to facilitate decision making related to the governance and management of enterprise IT. Plan for the identification, gathering, organizing, maintaining, use and retirement of knowledge.

Provide the knowledge and information required to support all staff in the governance and management of enterprise I&T and allow for informed decision making.

BAI09: Managed Assets

Manage IT assets through their life cycle to make sure that their use delivers value at optimal cost, they remain operational (fit for purpose), and they are accounted for and physically protected. Ensure that those assets that are critical to support service capability are reliable and available. Manage software licenses to ensure that the optimal number are acquired, retained and deployed in relation to required business usage, and the software installed is in compliance with license agreements.

Account for all IT assets and optimize the value provided by their use.

BAI10: Managed Configuration

Define and maintain descriptions and relationships among key resources and capabilities required to deliver I&T-enabled services. Include collecting configuration information, establishing baselines, verifying and auditing configuration information, and updating the configuration repository.

Provide sufficient information about service assets to enable the service to be effectively managed. Assess the impact of changes and deal with service incidents.

BAI11: Managed Projects

Manage all projects that are initiated within the enterprise in alignment with enterprise strategy and in a coordinated way based on the standard project management approach. Initiate, plan, control and execute projects, and close with a post-implementation review

Realize defined project outcomes and reduce the risk of unexpected delays, costs and value erosion by improving communications to and involvement of business and end users. Ensure the value and quality of project deliverables and maximize their contribution to the defined programs and investment portfolio.

Align, Plan and Organise (COBIT 2019)

Parent Process Reference Framework (PRF):  COBIT

Align, Plan and Organise domain of COBIT contains the following processes:

01   Managed IT management framework. 
02 Managed Strategy. 
03 Managed Enterprise Architecture. 
04 Managed Innovation. 
05 Managed Portfolio. 
06 Managed Budget and Costs. 
07 Managed Human Resources. 
08 Managed Relationships. 
09 Managed Service Agreements. 
10 Managed Suppliers. 
11 Managed Quality. 
12 Managed Risk. 
13 Managed Security. 
14Managed Data

APO01: Managed IT Management Framework

Design the management system for enterprise IT based on enterprise goals and other design factors. Based on this design, implement all required components of the management system.

Implement a consistent management approach for enterprise governance requirements to be met, covering governance components such as management processes; organizational structures; roles and responsibilities; reliable and repeatable activities; information items; policies and procedures; skills and competencies; culture and behavior; and services, infrastructure and applications..

Related processes:

ISO/IEC 20000 – Context Leadership Planning Support

APO02: Managed Strategy

Provide a holistic view of the current business and IT environment, the future direction, and the initiatives required to migrate to the desired future environment. Ensure that the desired level of digitization is integral to the future direction and the IT strategy. Assess the organization’s current digital maturity and develop a road map to close the gaps. With the business, rethink internal operations as well as customer-facing activities. Ensure focus on the transformation journey across the organization. Leverage enterprise architecture building blocks, governance components and the organization’s ecosystem, including externally provided services and related capabilities, to enable reliable but agile and efficient response to strategic objectives..

Support the digital transformation strategy of the organization and deliver the desired value through a road map of incremental changes. Use a holistic I&T approach, ensuring that each initiative is clearly connected to an overarching strategy. Enable change in all different aspects of the organization, from channels and processes to data, culture, skills, operating model and incentives

Related processes:

Processes under ITIL Service Strategy

APO03: Managed Enterprise Architecture

Establish a common architecture consisting of business process, information, data, application and technology architecture layers. Create key models and practices that describe the baseline and target architectures, in line with the enterprise and I&T strategy. Define requirements for taxonomy, standards, guidelines, procedures, templates and tools, and provide a linkage for these components. Improve alignment, increase agility, improve quality of information and generate potential cost savings through initiatives such as re-use of building block components. .

Represent the different building blocks that make up the enterprise and its interrelationships as well as the principles guiding their design and evolution over time, to enable a standard, responsive and efficient delivery of operational and strategic objectives.

Related processes/frameworks

ITIL Service Design


APO04: Managed Innovation

Maintain an awareness of IT and related service trends and monitor emerging technology trends. Proactively identify innovation opportunities and plan how to benefit from innovation in relation to business needs and the defined IT strategy. Analyze what opportunities for business innovation or improvement can be created by emerging technologies, services or IT-enabled business innovation; through existing established technologies; and by business and IT process innovation. Influence strategic planning and enterprise architecture decisions.

Achieve competitive advantage, business innovation, improved customer experience, and improved operational effectiveness and efficiency by exploiting I&T developments and emerging technologies.

APO05: Managed Portfolio

Execute the strategic direction set for investments in line with the enterprise architecture vision and I&T road map. Consider the different categories of investments and the resources and funding constraints. Evaluate, prioritize and balance programs and services, managing demand within resource and funding constraints, based on their alignment with strategic objectives, enterprise worth and risk. Move selected programs into the active products or services portfolio for execution. Monitor the performance of the overall portfolio of products and services and programs, proposing adjustments as necessary in response to program, product or service performance or changing enterprise priorities.

Optimize the performance of the overall portfolio of programs in response to individual program, product and service performance and changing enterprise priorities and demand.

Related processes:

ITIL Service Portfolio Management

ISO/IEC 20000 – Service Portfolio

APO06: Managed Budget and Costs

Manage the IT-related financial activities in both the business and IT functions, covering budget, cost and benefit management and prioritization of spending through the use of formal budgeting practices and a fair and equitable system of allocating costs to the enterprise. Consult stakeholders to identify and control the total costs and benefits within the context of the I&T strategic and tactical plans. Initiate corrective action where needed..

Foster a partnership between IT and enterprise stakeholders to enable the effective and efficient use of I&T-related resources and provide transparency and accountability of the cost and business value of solutions and services. Enable the enterprise to make informed decisions regarding the use of I&T solutions and services.

Related processes

ITIL Financial Management

ISO/IEC 20000: Budgeting and Accounting for Services

APO07: Managed Human Resources

Provide a structured approach to ensure optimal recruitment/acquisition, planning, evaluation and development of human resources (both internal and external)

Optimise human resources capabilities to meet enterprise objectives.

Related processes

ISO/IEC 20000:  Management Context, Leadership, Planning and Support

APO08: Managed Relationships

Manage relationships with business stakeholders in a formalized and transparent way that ensures mutual trust and a combined focus on achieving the strategic goals within the constraints of budgets and risk tolerance. Base relationships on open and transparent communication, a common language, and the willingness to take ownership and accountability for key decisions on both sides. Business and IT must work together to create successful enterprise outcomes in support of the enterprise objectives.Create improved outcomes, increased confidence, trust in IT and effective use of resources.

Enable the right knowledge, skills and behaviors to create improved outcomes, increased confidence, mutual trust and effective use of resources that stimulate a productive relationship with business stakeholders.

Related processes:

ITIL Business Relationship Management

APO09: Managed Service Agreements

Align IT-enabled services and service levels with enterprise needs and expectations, including identification, specification, design, publishing, agreement, and monitoring of IT products and services, service levels and performance indicators.

Ensure that IT products, services and service levels meet current and future enterprise needs.

Related processes

ITIL Service Level Management

ISO/IEC 20000: Service Level Management

APO10: Managed Vendors

Manage IT-related products and services provided by all types of vendors to meet enterprise requirements. This includes the search for and selection of vendors, management of relationships, management of contracts, and reviewing and monitoring of vendor performance and vendor ecosystem (including upstream supply chain) for effectiveness and compliance.

Optimize available IT capabilities to support the IT strategy and road map, minimize the risk associated with nonperforming or noncompliant vendors, and ensure competitive pricing.

Related processes

ISO/IEC 20000: Supplier Management

ITIL Supplier Management

APO11: Managed Quality

Define and communicate quality requirements in all processes, procedures and related enterprise outcomes. Enable controls, ongoing monitoring, and the use of proven practices and standards in continuous improvement and efficiency efforts.

Ensure consistent delivery of technology solutions and services to meet the quality requirements of the enterprise and satisfy stakeholder needs.

Related processes

ISO/IEC 20000

APO12: Managed Risk

Continually identify, assess and reduce IT-related risk within levels of tolerance set by enterprise executive management.

Integrate the management of IT-related enterprise risk with overall  Enterprise Risk Management (ERM), and balance the costs and benefits of managing IT-related enterprise risk.

APO13: Managed Security

Define, operate and monitor a system for information security management system.

Keep the impact and occurrence of information security incidents within the enterprise’s risk appetite levels.

Related Processes:

ISO/IEC 20000: Information Security Management

APO14: Managed Data

Achieve and sustain effective management of the enterprise data assets across the data life cycle, from creation through delivery, maintenance and archiving.

Ensure effective utilization of the critical data assets to achieve enterprise goals and objectives.

Evaluate Direct and Monitor (COBIT 2019)

Parent Process Reference Framework (PRF):  COBIT

Evaluate Direct and Monitor domain consists of the following 5 processes

EDM01   Ensured Governance Framework Setting and Maintenance. 
EDM02 Ensured Benefits Delivery. 
EDM03 Ensured Risk Optimisation. 
EDM04 Ensured Resource Optimisation. 
EDM05 Ensured Stakeholder Engagement 

EDM01: Ensured Governance Framework Setting and Maintenance

Provide a consistent approach integrated and aligned with the enterprise governance approach. IT-related decisions are made in line with the enterprise’s strategies and objectives and desired value is realized. To that end, ensure that IT-related processes are overseen effectively and transparently; compliance with legal, contractual and regulatory requirements is confirmed; and the governance requirements for board members are met.

EDM02: Ensured Benefits Delivery

Optimize the value to the business from investments in business processes, IT services and IT assets.

Secure optimal value from IT-enabled initiatives, services and assets; cost-efficient delivery of solutions and services; and a reliable and accurate picture of costs and likely benefits so that business needs are supported effectively and efficiently.

EDM03: Ensured Risk Optimisation

Ensure that the enterprise’s risk appetite and tolerance are understood, articulated and communicated, and that risk to enterprise value related to the use of IT is identified and managed.

Ensure that IT-related enterprise risk does not exceed risk appetite and risk tolerance, the impact of IT risk to enterprise value is identified and managed, and the potential for compliance failures is minimised.

EDM04: Ensured Resource Optimisation

Ensure that adequate and sufficient IT-related capabilities (people, process and technology) are available to support enterprise objectives effectively at optimal cost.

Ensure that the resource needs of the enterprise are met in the optimal manner, IT costs are optimised, and there is an increased likelihood of benefit realisation and readiness for future change.

EDM05: Ensure Stakeholder Engagement

Ensure that stakeholders are identified and engaged in the I&T governance system and that enterprise I&T performance and conformance measurement and reporting are transparent, with stakeholders approving the goals and metrics and necessary remedial actions.

Ensure that stakeholders are supportive of the IT strategy and road map, communication to stakeholders is effective and timely, and the basis for reporting is established to increase performance. Identify areas for improvement, and confirm that IT-related objectives and strategies are in line with the enterprise’s strategy.

COBIT 2019

COBIT(Registered trademark) is a business framework for the governance and management of enterprise IT.  Enterprise IT means all the technology and information processing the enterprise puts in place to achieve its goals, regardless of where this happens in the enterprise. Enterprise IT is not limited to the IT department of an organization but certainly includes it

COBIT 2019 is the latest version of COBIT. Some of the enhancements from the previous version of COBIT ( i.e., COBIT 5) are:

  • introduction of design factors. Design factors provide guidelines to organisation to tailor the guidelines to suit their needs
  • introduction of focus areas.
    A focus area describes a certain governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their components. Examples of focus areas include small and medium enterprises, cybersecurity, digital transformation, cloud computing, privacy, and DevOps
  • Component: Components are factors that, individually and collectively, contribute to the good operations of the enterprise’s governance system over IT. Components interact with each other, resulting in a holistic governance system for IT. Processes, Organisational Structures, Policies, Competencies are some of the examples of Components.
  • Component can be defined at Generic level and a Variant can exist. DevOps exemplifies both a component variant and a focus area. DevOps requires specific guidance, making it a focus area. DevOps includes a number of generic governance and management objectives of the core COBIT model, along with a number of variants of development-, operational- and monitoring-related processes and organizational structures

The governance and management objectives in COBIT are grouped into five domains.

Evaluate, Direct and Monitor (EDM) domain groups the governance objectives. In this domain, the governing body evaluates strategic options, directs senior management on the chosen strategic options and monitors the achievement of the strategy.

Management objectives are grouped in four domains.

Align, Plan and Organize (APO) addresses the overall organization, strategy and supporting activities for I&T.

Build, Acquire and Implement (BAI) treats the definition, acquisition and implementation of I&T solutions and their integration in business processes.

Deliver, Service and Support (DSS) addresses the operational delivery and support of I&T services, including security.

Monitor, Evaluate and Assess (MEA) addresses performance monitoring and conformance of I&T with internal performance targets, internal control objectives and external requirement

Context Diagram

COBIT is a comprehensive framework that covers Governance , Plan, Build, Run stages of  IT.  COBIT is set of control objectives that can be audited. COBIT does not specify any implementation guidelines, practices or tools. The organisations often chose a lower level framework to implement COBIT’s control objectives.

Summary Ratings

COBIT is first released in 19961 and celebrated its 20th anniversary in 2016. COBIT has been periodically updated by the sponsoring organisation ISACA.2.  It is one of the widely adopted framework for organisations pursuing IT Governance. The rating 4 given is because there is no legislative or regulatory requirements in Australia to enforce COBIT in Government or financial sector.

COBIT is tool agnostic.There are multiple tools required to govern and manage IT guided by COBIT framework.

ISACA provides extensive training support and assessment support for COBIT.

Please refer the Rating Criteria.

Longevity5 out of 5 stars (5 / 5)
Industry Adoption4 out of 5 stars (4 / 5)
Tool Support1 out of 5 stars (1 / 5)
Training Support5 out of 5 stars (5 / 5)
Assessment Support5 out of 5 stars (5 / 5)

Life Cycle Phases/Domains


SFIA Enterprise IT Governance





ISO/IEC 20000



« Previous Page