The Control Objectives for Information and related Technology (CobiT) best practices standard is the responsibility of the IT Governance Institute, which was itself established by the Information Systems Audit and Control Association (ISACA). On its Web site, ISACA says CobiT has been developed as “a generally applicable and accepted standard for good IT security and control practices.” It supports management’s needs when determining and monitoring the appropriate level of IT security and control for an organization.
Accepted as the standard for establishing compliance with Sarbanes-Oxley in the U.S. and Bill 198 in Ontario, CobiT is often thought of as being about control. It takes a top-down approach, breaking IT into 34 different processes and 318 more detailed control objectives. It describes what should be done, but does not describe how. More detailed best practices such as ITIL or ISO 17799 provide specific guidance about how to deliver and support IT services or how to ensure IT security.CobiT allows an organization to look backward with confidence that it will see everything of importance that IT has — or hasn’t — accomplished. Text CobiT allows an organization to look backward with confidence that it will see everything of importance that IT has — or hasn’t — accomplished. It also makes sense to use the standard to look forward to those process improvements that will deliver the maximum payback in the months and years ahead.
The 34 CobiT processes are divided into four categories: 11 planning and organization processes; six acquisition and implementation processes; 13 delivery and support processes; and four monitoring processes. Together, these processes provide solid coverage of everything important in IT. Each process is broken down into critical success factors, key goal indicators and key performance indicators. There is a six-point maturity scale for each process, ranging from non-existent to optimized.
It’s relatively simple for an organization to go through each process to determine how important it is. With the right people in the room, this can take less than a day. Each of the most important IT processes can then be examined to determine current and future desired maturity levels. From this exercise, which should take fewer than two days, one can derive an effective roadmap for the internal changes IT should undergo now and in the future.
Using the CobiT framework removes the need for debate and discussion about how to best divide IT into constituent processes, since CobiT already comes with a predefined — and extensively tested — subdivision of IT into clear and distinct processes. The maturity levels described for each process provide a comprehensible method to assess current performance and to describe desired future performance. CobiT also fits with a wide range of more detailed standards for such processes as service delivery, security, project management and quality.
CobiT is an open standard with all but the audit standard freely available for download on the ISACA Web site (www.isaca.org). Registration is required but costs nothing. Membership in ISACA is less than $200 per year and provides full access to the CobiT standard, including the audit standard. There are a number of ISACA-sponsored conferences and training sessions in North America and elsewhere in the world, from which IT managers could benefit. ISACA also produces a constant stream of IT governance research projects, all of which have been documented and are available on the association’s Web site.
No single IT governance standard is ideal for everyone, but the CobiT framework can easily adjust to meet the needs of a wide range of organizations. CobiT isn’t just for control — it provides a solid base for building a go-forward roadmap for an IT department’s investment in process improvements.
— Fabian is a senior management and systems consultant in Toronto. He can be reached at [email protected].