COBIT5 vs. Other IT Frameworks
COBIT5 is a framework developed by the Information Systems Audit and Control Association (ISACA), which provides a comprehensive framework that assists enterprise in achieving their objectives for the governance and management of enterprise IT.
COBIT5 outlines five core principles that can benefit all enterprise, regardless of size, geography or industry:
- Meeting Stakeholder Needs
- Covering the Enterprise End to End
- Applying a Single Integrated Framework
- Enabling a Holistic Approach
- Separating Governance From Management
COBIT 5 describes the principles and enablers that support an enterprise in meeting stakeholder needs, specifically those related to the use of IT assets and resources across the whole enterprise. The significant emphasis on governance is obvious, which requires stakeholders to take responsibilities and accountability. It further requires them to understand the business risk, the cost of doing business, and how to direct and monitor management.
Though there are two types of processes in COBIT5: governance processes (evaluate, direct, and monitor) and management processes (plan, build, run, and monitor), COBIT5 is much broader than other frameworks such as ITIL or Payment Card Industry Data Security Standard (PCI DSS), which focuses on IT Service management and IT Security management. For example, PCI DSS has specific and detailed requirements such as what encryption should or should not be used for data protection, network configuration requirements (access control systems have a default “deny-all” setting), and how to address common coding vulnerabilities in software development cycle. COBIT5 offers control objectives at a high and broad level. However, there is COBIT5 for Information Security that provides guidance to help IT and security professionals understand, utilize, implement and direct important information security-related activities, and make more informed decisions while maintaining awareness about emerging technologies and the accompanying threats.
COBIT5 primarily aims to guide enterprises on the implementation, operation and improvement of their overall arrangements relating to governance and management of enterprise IT (GEIT). Some other frameworks provide guidance and good practice for IT service providers and security professionals regarding the execution of IT service management from the perspective of enabling business value. Some schools of thought would prescribe that the COBIT5 framework provides the “why”; Frameworks such as ITIL or PCI DSS provides the “how.” When implementing the frameworks, the consideration should not be “one or the other.” IT management and professionals should:
- Familiarize themselves with the various frameworks,
- Understand the business objectives and requirement, and
- Leverage strengths from each of the applicable frameworks adopting them for their use as appropriate.