Archives ||About Us || Advertise || Feedback || Subscribe-
Issue of May 2004 

 Home > Secured View
 Print Friendly Page ||  Email this story


The COBIT source for best practices

COBIT is a set of standards for security best-practices standards that enterprises can follow. Here's how it can impact your organization. by Avinash Kadam

Control Objective for Information and related Technology (COBIT) has been developed and promoted by the IT Governance Institute, which is part of the Information Systems Audit and Control Association (ISACA). COBIT has been promoted as a standard for control over IT.

How do we get IT under control so that it delivers the information an organization needs? COBIT is expected to help us in achieving this by breaking the problem into smaller parts. The COBIT framework divides the entire spectrum of IT management into 34 IT processes. How do we know if these IT processes are managed well? The COBIT framework has defined 318 control objectives and audit guidelines to make this job easy.

Controls and control objectives

Before we go any further, let us understand the terms ‘controls’ and ‘control objectives.’ Controls are defined by COBIT as “the policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved, and that undesired events will be prevented or detected and corrected.”

So an e-mail policy, a virus detection procedure, a password selection practice, and a security committee, are examples of controls since these prevent, detect and correct undesired events.

Next is the definition of Control Objective which states that 'IT control objective is defined as a statement of the desired result or purpose to be achieved by implementing control procedures in a particular activity'.

So an IT control objective could be 'ensure continuous service' which can be met by implementing a number of control procedures like writing continuity plans, continuity plan training, continuity plan testing, back-up site and so on.

Managing resources

COBIT has defined various IT resources, which need to be managed. These are data, applications systems, technology, facilities and people. COBIT's focus is to ensure that these resources are well utilized for achieving the business objectives.

For management of these resources, COBIT has defined three criteria, which should be met. These are quality requirements, fiduciary requirements, and security requirements. These three requirements are further broken down into seven desirable qualities. These are effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability of information.

The COBIT framework has made a three level structure. The top level consists of four domains, which are:

1. Planning and Organization

2. Acquisition and Implementation

3. Delivery and Support

4. Monitoring

If it looks similar to a PDCA (Plan-Do-Check-Act) cycle, it is not a coincidence. COBIT has expanded the PDCA definition to fit the IT activities. The next layer consists of 34 IT processes. And the last layer consists of the detailed tasks to carry out these IT processes.

There are 318 distinct tasks. The 34 IT processes are presented as the 34 high-level control objectives and 318 tasks are worded as 318 detailed level control objectives. Depending on who is looking at it, an IT manager could look up to the IT processes and tasks as the best practices, which could be adapted by carrying out the tasks under the process.

The IS auditor could use COBIT to check if the IT tasks were indeed carried out to meet the control objectives set under each of the tasks and did this achieve the high-level control objective set for the IT process. The last part is the audit guidelines. Again the name should not put off the IT managers. The audit guidelines provide an excellent checklist for high-level as well as detailed control objectives.

An auditor would use it for auditing the IT processes. An IT manager could use it as guidance for properly carrying out the IT process. It becomes a very handy tool to check the completeness of your approach and methodology.

Let us now take a deeper look into each domain.

Planning and Organization

Planning is all about preparing today to meet the demands of tomorrow. A strategic IT plan has to be defined which meets the enterprise business strategy. The IT plan then needs to be converted into information architecture design, which will again depend on the technological direction.

The plans need to be executed by an appropriate organization structure. The execution requires managing investments, assessing and managing risks, communication, project management, quality management, human resource management, and compliance with external requirements. To cover all these activities, the domain consists of the following IT processes:

  • Define a Strategic IT Plan
  • Define the Information Architecture
  • Determine Technological Direction
  • Define the IT Organization and Relationships
  • Manage the IT Investment
  • Communicate Management Aims and Direction
  • Manage Human Resources
  • Ensure Compliance with External Requirements
  • Assess Risks
  • Manage Projects
  • Manage Quality

The above 11 IT processes are further elaborated in individual tasks. For example, one of the processes is pertaining to 'Assess Risk.’ This is broken down into following eight detailed control objectives:

1. Business Risk Assessment

2. Risk Assessment Approach

3. Risk Identification

4. Risk Measurement

5. Risk Action Plan

6. Risk Acceptance

7. Safeguard Selection

8. Risk Assessment Commitment

Reading through these detailed control objectives and associated audit guidelines clarifies what is expected from the high-level control objective of 'Assess Risk'.

Acquisition and Implementation

After the 'Plan' phase, we go to the 'Do' phase. Identifying and acquiring or developing solutions is needed to execute the plans. The solutions may consist of application software or technology infrastructure along with various operating procedures, user procedures and training manuals. After successfully acquiring the solution, it needs to be implemented, maintained, tested, accredited, and any changes need to be managed to ensure continued availability.

All these practical issues are dealt in this domain by means of the following processes. As mentioned earlier, each process is supported by a detailed list of tasks to be performed.

  • Identify Automated Solutions
  • Acquire and Maintain Application Software
  • Acquire and Maintain Technology Infrastructure
  • Develop and Maintain Procedures
  • Install and Accredit Systems
  • Manage Changes

Delivery and Support

This is second part of the 'Do' phase, where we are concerned about getting the things operational and provide efficient and cost-effective services to meet the business objectives. This is probably the longest phase of the system lifecycle.

We need to ensure that the system continues to perform at the desired level. To accomplish this, we define and manage the service levels, third-parties providing the services, ensure that the performance or capacity of the resources do not become a bottleneck.

During this phase we are also concerned about availability of continuous, uninterrupted service, even in the face of disasters. So we have to ensure that appropriate business continuity plans are documented and tested, and people are trained to execute them.

We are also concerned about system security, which is a major concern today. An entire standard like ISO 17799 is devoted to this topic alone. COBIT covers all the security aspects quite well but these are spread all over the standard.

The next part is the day-to-day management aspect of IT like managing problems, incidents, data, configurations, facilities and operations, training the users, and assisting customers. While doing all this, we have also to manage the costs.

All these activities are defined in the following 13 processes, supported by detailed tasks.

1. Define and Manage Service Levels

2. Manage Third-Party Services

3. Manage Performance and Capacity

4. Ensure Continuous Service

5. Ensure Systems Security

6. Identify and Allocate Costs

7. Educate and Train Users

8. Assist and Advise Customers

9. Manage the Configuration

10.Manage Problems and Incidents

11. Manage Data

12. Manage Facilities

13. Manage Operations


The last domain of COBIT pertains to the 'Check' part. The 'Act' part or taking corrective action is implemented by redoing the entire cycle starting from planning, If this phase identifies some weakness in the process. Monitoring all the processes by creating management information system reports, does this. It could be further supported by exception reports, checking key performance indicators or critical success factors and assessing customer certification. Monitoring the internal controls, doing an independent audit of the processes provides independent assessment.

Following are the monitoring processes. If the IT head does not want to be caught on the wrong side, he/she may as well implement these processes as a proactive measure and assure the management about the dependability of IT to achieve business objectives.

  • Monitor the Processes Assess Internal Control Adequacy Obtain Independent Assurance
  • Provide for Independent Audit

Maturity Model

COBIT does not have a certification process. In place of a formal certification, COBIT has suggested a maturity model for self-assessment. As we have seen earlier, each process of COBIT has a high-level control statement and between 3 and 30 detailed control objectives. The process owner should be able to determine the level of adherence to the control objective either as self-assessment or independent review.

The scale used for the maturity model is from 0 to 5.

0 — Non-Existent - Management processes are not applied at all.

1 — Initial - Processes are ad hoc and disorganized

2 — Repeatable - Processes follow a regular pattern

3 — Defined - Processes are documented and communicated

4 — Managed - Processes are monitored and measured

5 — Optimized - Best practices are followed and automated

The maturity model is recommended to be used by conducting the following mappings and comparisons:

  • The current status of the organization - where the organization is today
  • The current status of (best- in-class in) the industry - the comparison
  • The current status of international standard guidelines - additional comparison
  • The organization's strategy for improvement - where the organization wants to be.

This comparison needs to be done for each of the 34 IT processes.

COBIT package

The COBIT package includes the following. (You could buy it from

  • Executive Summary
  • Implementation Tool Set
  • Framework
  • Control Objectives
  • Audit Guidelines
  • Management Guidelines
  • A CD-ROM and a floppy

Apart form the above documentation, which is extensive, there are other publications to help you in implementation of COBIT.

COBIT has evolved over the years. It is currently in its third edition which was published in 2000. COBIT Fourth Edition is now eagerly awaited.

Avinash Kadam is Director of MIEL e-Security, Pvt. Ltd.

He can be reached at

- <Back to Top>-  

Copyright 2001: Indian Express Newspapers (Bombay) Limited (Mumbai, India). All rights reserved throughout the world.
This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Bombay) Limited. Site managed by BPD.